Miggo Logo

CVE-2022-0960: Cross-site Scripting in showdoc/showdoc

9

CVSS Score
3.0

Basic Information

EPSS Score
0.57983%
Published
3/15/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
showdoc/showdoccomposer< 2.10.42.10.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper file type validation in the attachment handling functionality. The commit diff shows the removal of .properties from the allowed extensions list in the isAllowedFilename function. This function's purpose is to validate uploadable file types, and its pre-patch implementation permitted dangerous file types that could carry XSS payloads. The direct modification of this allowlist in the patch confirms its role in the vulnerability. The XSS execution would occur when these improperly validated files are subsequently rendered by the application.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*ow*o* is * tool *r**tly *ppli***l* *or *n IT t**m to s**r* *o*um*nts onlin*. s*ow*o*/s*ow*o* *llows .prop*rti*s *il*s to uplo** w*i** l*** to stor** XSS in v*rsions prior to *.**.*. T*is *llows *tt**k*rs to *x**ut* m*li*ious s*ripts in t** us*r's *

Reasoning

T** vuln*r**ility st*ms *rom improp*r *il* typ* v*li**tion in t** *tt***m*nt **n*lin* *un*tion*lity. T** *ommit *i** s*ows t** r*mov*l o* `.prop*rti*s` *rom t** *llow** *xt*nsions list in t** `is*llow***il*n*m*` *un*tion. T*is *un*tion's purpos* is t