Miggo Logo

CVE-2022-0950: Cross-site Scripting in ShowDoc

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.49989%
Published
3/16/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
showdoc/showdoccomposer< 2.10.42.10.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from using a blacklist (isDangerFilename) instead of a whitelist for file validation. The patch replaced all instances of isDangerFilename with isAllowedFilename (whitelist) and added explicit error messages. The vulnerable functions directly handled file upload validation using the insecure blacklist method, allowing .html files that enable stored XSS when executed.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** uplo** ***tur* o* S*ow*o* prior to v*rsion *.**.* *llows *il*s wit* t** *xt*nsion `.**tml`, w*i** l***s to stor** *ross-sit* s*riptin*.

Reasoning

T** vuln*r**ility st*mm** *rom usin* * *l**klist (`is**n**r*il*n*m*`) inst*** o* * w*it*list *or *il* v*li**tion. T** p*t** r*pl**** *ll inst*n**s o* `is**n**r*il*n*m*` wit* `is*llow***il*n*m*` (`w*it*list`) *n* ***** *xpli*it *rror m*ss***s. T** vul