CVE-2022-0960: Cross-site Scripting in showdoc/showdoc
9
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.57983%
CWE
Published
3/15/2022
Updated
1/27/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
showdoc/showdoc | composer | < 2.10.4 | 2.10.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper file type validation in the attachment handling functionality. The commit diff shows the removal of .properties
from the allowed extensions list in the isAllowedFilename
function. This function's purpose is to validate
uploadable file types, and its pre-patch implementation permitted dangerous file types that could carry XSS payloads. The direct modification of this allowlist in the patch confirms its role in the vulnerability. The XSS execution would occur when these improperly validated files are subsequently rendered by the application.