Lucene search

GitHub Advisory DatabaseGHSA-MW75-QVFR-HPMR

HistoryMar 15, 2022 - 12:01 a.m.

Cross-site Scripting in ShowDoc

2022-03-1500:01:01

CWE-79

GitHub Advisory Database

github.com

showdoc

vulnerability

stored xss

file upload

patch available

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.4%

JSON

ShowDoc is vulnerable to stored cross-site scripting through file upload in versions 2.10.3 and prior. A patch is available and anticipated to be part of version 2.10.4.

Affected configurations

Vulners

Node

showdocshowdocRange≤2.10.3

VendorProductVersionCPE
showdocshowdoc*cpe:2.3:a:showdoc:showdoc:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
showdoc	showdoc	*	cpe:2.3:a:showdoc:showdoc::::::::

References

github.com/advisories/GHSA-mw75-qvfr-hpmr

github.com/star7th/showdoc/commit/830c89a4c2c5fd0dd491422bf8e97b4eb5713f55

huntr.dev/bounties/3eb5a8f9-24e3-4eae-a212-070b2fbc237e

nvd.nist.gov/vuln/detail/CVE-2022-0938

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.4%

JSON

Related for GHSA-MW75-QVFR-HPMR