Primary

Context

ShowDoc Unauthenticated File Upload Vulnerability Allowing Remote Code Execution

Vulnerability

A vulnerability allowing unrestricted file uploads has been identified in ShowDoc versions prior to 2.8.7. This issue arises from inadequate validation of file extensions, enabling the execution of arbitrary PHP code and leading to remote code execution. The vulnerability allows attackers to upload web shells and execute arbitrary code on the server.

Impact

Exploitation of this vulnerability allows for unauthorized file uploads, which can be leveraged to execute arbitrary code on the server, potentially leading to a full compromise of the affected system.

Reproduction

To reproduce this vulnerability, upload a file through the application's image upload feature, bypassing the file extension restrictions. Change the file name to include PHP code, such as a PHP shell. Once uploaded, the PHP code can be executed on the server.

Remediation

Users are advised to update to the latest version of ShowDoc, as the vulnerability has been patched in version 2.8.7.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

10.0

exploitability

9.5

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

10.0

exploitability

9.5

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ShowDoc Unauthenticated File Upload Vulnerability Allowing Remote Code Execution

Vulnerability

Impact

Reproduction

Remediation

Affected Products

ShowDoc

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating