CVE-2018-16342

Vulnerability

ShowDoc v1.8.0 contains a stored cross-site scripting (XSS) vulnerability exploitable through the page creation feature. An authenticated attacker can inject arbitrary JavaScript into a new page's content, which is then stored and executed when any user views that page [1][2]. The vulnerability resides in the page content handler, which fails to sanitize user-provided input before persisting and rendering it [3].

Exploitation

An attacker must have a registered account on the ShowDoc instance. The steps are: register an account, create a new project, click the '+' button to add a new page, and in the page content field enter a payload such as ``. Upon saving and viewing the page, the script executes in the context of the victim's browser [3]. No additional user interaction is required beyond opening the affected page.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. The proof-of-concept demonstrates cookie theft by exfiltrating document.cookie to an external server [3]. This can lead to session hijacking, impersonation, and further privileged actions within the application. The attacker gains access to the victim's authenticated session and any data visible to that user.

Mitigation

As of the available references, no patch has been released for CVE-2018-16342 [2]. The GitHub repository [1] does not indicate a fixed version. Users should apply a web application firewall rule to block common XSS payload patterns in page content fields, or restrict access to trusted users only. The vendor was notified via the GitHub issue tracker [3].