Security Experts:

Connect with us

Hi, what are you looking for?



Vulnerabilities in Popular DMS Products Can Expose Sensitive Documents

Multiple XSS vulnerabilities in popular document management system (DMS) products could allow attackers to access sensitive documents.

Multiple cross-site scripting (XSS) vulnerabilities in popular document management system (DMS) products could allow attackers to access sensitive documents, Rapid7 reports.

DMS solutions help users manage the production, storage, and distribution of documents. They may also provide collaboration capabilities and support for managing other types of files.

A total of eight XSS vulnerabilities were identified in products from OnlyOffice, OpenKM, LogicalDOC, and Mayan, all of which can be described as issues related to improper neutralization of input during web page generation. 

None of these issues, however, has been resolved. Despite Rapid7’s efforts to contact the impacted vendors, none of them responded.

All the vulnerable DMS solutions – available as on-prem or cloud-hosted collaboration platforms – are designed for small to medium-sized businesses (SMBs) and the exploitation of the identified bugs in attacks could have dire consequences.

Tracked as CVE-2022-47412, the most severe of the vulnerabilities impacts OnlyOffice Workspace and requires an attacker to trick a user into storing a malicious document in the DMS and then convince them to open the document via an embedded search function.

Two XSS bugs (CVE-2022-47413 and CVE-2022-47414) were identified in OpenKM. The first of the issues can be triggered like CVE-2022-47412, but the second requires access to the OpenKM console.

Four XSS vulnerabilities were found in the LogicalDOC DMS: CVE-2022-47415 in the in-app messaging system, CVE-2022-47416 in the chat system, CVE-2022-47417 in the document file name, and CVE-2022-47418 in stored version comments.

The Mayan EDMS flaw, CVE-2022-47419, impacts the platform’s in-product tagging system.

An attacker exploiting any of these vulnerabilities could steal the session cookie of a locally logged-in administrator and then impersonate the user to create a rogue account on the platform, which would provide them with access to all documents stored in the DMS.

Rapid7 recommends that users pay extra care when importing documents from unknown or untrusted sources into the DMS and that administrators limit the creation of anonymous, untrusted users for the affected DMS products.

Affected DMS versions include OnlyOffice Workspace, OpenKM 6.3.12, LogicalDOC CE/Enterprise 8.7.3/8.8.2, LogicalDOC Enterprise 8.8.2, and Mayan EDMS 4.3.3.

“Given the high severity of a stored XSS vulnerability in a document management system, especially one that is often part of automated workflows, administrators are urged to apply any vendor-supplied updates on an emergency basis,” Rapid7 notes.

Related: Atlassian Warns of Critical Jira Service Management Vulnerability

Related: Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication

Related: F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet