CVE-2022-0960
published 2022-03-14CVE-2022-0960: Stored XSS viva .properties file upload in GitHub repository star7th/showdoc prior to 2.10.4.
PriorityP426medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.84%
53.2th percentile
Stored XSS viva .properties file upload in GitHub repository star7th/showdoc prior to 2.10.4.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| showdoc | showdoc | < 2.10.4 | 2.10.4 |
| showdoc | showdoc | >= 0 < 2.10.4 | 2.10.4 |
| star7th | star7th_showdoc | >= unspecified < 2.10.4 | 2.10.4 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv3.09.0CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Cross-site Scripting in showdoc/showdoc
ghsa·2022-03-15
CVE-2022-0960 [CRITICAL] CWE-434 Cross-site Scripting in showdoc/showdoc
Cross-site Scripting in showdoc/showdoc
ShowDoc is a tool greatly applicable for an IT team to share documents online. showdoc/showdoc allows .properties files to upload which lead to stored XSS in versions prior to 2.10.4. This allows attackers to execute malicious scripts in the user's browser. This issue was patched in version 2.10.4. There is currently no known workaround.
OSV
Cross-site Scripting in showdoc/showdoc
osv·2022-03-15
CVE-2022-0960 [CRITICAL] Cross-site Scripting in showdoc/showdoc
Cross-site Scripting in showdoc/showdoc
ShowDoc is a tool greatly applicable for an IT team to share documents online. showdoc/showdoc allows .properties files to upload which lead to stored XSS in versions prior to 2.10.4. This allows attackers to execute malicious scripts in the user's browser. This issue was patched in version 2.10.4. There is currently no known workaround.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-03-14
Published