Plataforma
php
Componente
showdoc
Corrigido em
2.10.4
CVE-2022-0965 is a stored Cross-Site Scripting (XSS) vulnerability affecting Showdoc versions 2.10.4 and earlier. This vulnerability arises from the insecure handling of .ofd file uploads, allowing attackers to inject malicious JavaScript code. Successful exploitation can lead to session hijacking, defacement, and other malicious actions. Affected versions include all installations of Showdoc prior to version 2.10.4; upgrading to the patched version is essential.
An attacker can exploit this vulnerability by uploading a specially crafted .ofd file to a Showdoc instance. This file contains malicious JavaScript code that will be executed in the context of the user's browser when they view the uploaded file. This can lead to a variety of attacks, including session hijacking, where the attacker gains control of the user's account. The attacker could also inject malicious scripts into the Showdoc interface, potentially defacing the website or redirecting users to phishing sites. The blast radius extends to all users who interact with the vulnerable Showdoc instance, making it a significant security risk.
CVE-2022-0965 was publicly disclosed on March 15, 2022. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation and the potential impact make it a likely target. There are publicly available proof-of-concept (POC) exploits demonstrating the vulnerability. It is not currently listed on CISA KEV.
Organizations using Showdoc for documentation management, particularly those running older, unpatched versions (≤2.10.4), are at significant risk. Shared hosting environments where multiple users share the same Showdoc installation are especially vulnerable, as a single compromised account could impact all users.
• php / server:
find /var/www/showdoc -name '*.ofd' -print0 | xargs -0 grep -iE '<script' • generic web:
curl -I 'http://your-showdoc-instance/uploads/malicious.ofd' | grep 'Content-Type:'disclosure
patch
Status do Exploit
EPSS
0.38% (percentil 60%)
Vetor CVSS
The primary mitigation for CVE-2022-0965 is to upgrade Showdoc to version 2.10.4 or later, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider implementing strict input validation on uploaded files, specifically .ofd files, to prevent the injection of malicious code. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly scan Showdoc installations for vulnerabilities using automated security tools.
Actualice Showdoc a la versión 2.10.4 o posterior. Esta versión contiene una corrección para la vulnerabilidad XSS almacenada. La actualización se puede realizar descargando la nueva versión del repositorio y reemplazando los archivos existentes.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2022-0965 is a critical stored XSS vulnerability in Showdoc versions up to 2.10.4, allowing attackers to inject malicious JavaScript via .ofd file uploads.
Yes, if you are running Showdoc version 2.10.4 or earlier, you are vulnerable to this XSS attack. Upgrade to the latest version (2.10.4+) immediately.
Upgrade Showdoc to version 2.10.4 or later. Implement strict input validation for .ofd files as a temporary workaround if upgrading is not immediately possible.
While no active campaigns have been confirmed, the vulnerability is easily exploitable and a likely target for attackers. Public POCs are available.
Refer to the Showdoc project's official website or GitHub repository for the latest security advisories and updates related to CVE-2022-0965.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.