Multiple cross-site scripting (XSS) vulnerabilities in popular document management system (DMS) products could allow attackers to access sensitive documents, Rapid7 reports.
DMS solutions help users manage the production, storage, and distribution of documents. They may also provide collaboration capabilities and support for managing other types of files.
A total of eight XSS vulnerabilities were identified in products from OnlyOffice, OpenKM, LogicalDOC, and Mayan, all of which can be described as issues related to improper neutralization of input during web page generation.
None of these issues, however, has been resolved. Despite Rapid7’s efforts to contact the impacted vendors, none of them responded.
All the vulnerable DMS solutions – available as on-prem or cloud-hosted collaboration platforms – are designed for small to medium-sized businesses (SMBs) and the exploitation of the identified bugs in attacks could have dire consequences.
Tracked as CVE-2022-47412, the most severe of the vulnerabilities impacts OnlyOffice Workspace and requires an attacker to trick a user into storing a malicious document in the DMS and then convince them to open the document via an embedded search function.
Two XSS bugs (CVE-2022-47413 and CVE-2022-47414) were identified in OpenKM. The first of the issues can be triggered like CVE-2022-47412, but the second requires access to the OpenKM console.
Four XSS vulnerabilities were found in the LogicalDOC DMS: CVE-2022-47415 in the in-app messaging system, CVE-2022-47416 in the chat system, CVE-2022-47417 in the document file name, and CVE-2022-47418 in stored version comments.
The Mayan EDMS flaw, CVE-2022-47419, impacts the platform’s in-product tagging system.
An attacker exploiting any of these vulnerabilities could steal the session cookie of a locally logged-in administrator and then impersonate the user to create a rogue account on the platform, which would provide them with access to all documents stored in the DMS.
Rapid7 recommends that users pay extra care when importing documents from unknown or untrusted sources into the DMS and that administrators limit the creation of anonymous, untrusted users for the affected DMS products.
Affected DMS versions include OnlyOffice Workspace 12.1.0.1760, OpenKM 6.3.12, LogicalDOC CE/Enterprise 8.7.3/8.8.2, LogicalDOC Enterprise 8.8.2, and Mayan EDMS 4.3.3.
“Given the high severity of a stored XSS vulnerability in a document management system, especially one that is often part of automated workflows, administrators are urged to apply any vendor-supplied updates on an emergency basis,” Rapid7 notes.
Related: Atlassian Warns of Critical Jira Service Management Vulnerability
Related: Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
Related: F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
