Stored XSS due to Unrestricted File Upload in star7th/showdoc


Reported on

Mar 13th 2022


Stored XSS via uploading files in .xsd, .asa and .aspx (already mentioned in previous report) formats.

Proof of Concept

For .xsd


<a:script xmlns:a="">alert(1)</a:script>

For .asa and .aspx



Steps to Reproduce

1.Login into
2.Navigate to file library (
3.In the File Library page, click the Upload button and choose the poc.xsd file.
4.After uploading the file, click on the check button to open that file in a new tab.

XSS will trigger when the attachment is opened in a new tab.


.xsd -
.asa -
.aspx -


An attacker can perform social engineering on users by redirecting them from a real website to a fake one. a hacker can steal their cookies etc.

We are processing your report and will contact the star7th/showdoc team within 24 hours. a year ago
Ajaysen R modified the report
a year ago
Ajaysen R submitted a
a year ago
star7th validated this vulnerability a year ago
Ajaysen R has been awarded the disclosure bounty
The fix bounty is now up for grabs
a year ago


I won't set this problem as "fixed" for the time being. If you find similar problems, you can give feedback again

Ajaysen R
a year ago


Ok, Fine.

a year ago


I have updated the whitelist mechanism. And tested it again. There should be no more omissions. So let me fix this problem. At the same time, I'll write you the repairer, so you get an extra $20.

star7th marked this as fixed in 2.10.4 with commit 3caa32 a year ago
Ajaysen R has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation