Unpatched Security Flaws Disclosed in Multiple Document Management Systems

Multiple
unpatched
security
flaws
have
been
disclosed
in
open
source
and
freemium
Document
Management
System
(DMS)
offerings
from
four
vendors
LogicalDOC,
Mayan,
ONLYOFFICE,
and
OpenKM.

Cybersecurity
firm
Rapid7
said
the
eight
vulnerabilities
offer
a
mechanism
through
which
“an
attacker
can
convince
a
human
operator
to
save
a
malicious
document
on
the
platform
and,
once
the
document
is
indexed
and
triggered
by
the
user,
giving
the
attacker
multiple
paths
to
control
the
organization.”

The
list
of
eight
cross-site
scripting
(XSS)
flaws,
discovered
by
Rapid7
researcher
Matthew
Kienow,
is
as
follows
–

• 
  CVE-2022-47412
  –
  ONLYOFFICE
  Workspace
  Search
  Stored
  XSS
• 
  CVE-2022-47413
  and
  CVE-2022-47414
  –
  OpenKM
  Document
  and
  Application
  XSS
• 
  CVE-2022-47415,
  CVE-2022-47416,
  CVE-2022-47417,
  and
  CVE-2022-47418
  –
  LogicalDOC
  Multiple
  Stored
  XSS
• 
  CVE-2022-47419
  –
  Mayan
  EDMS
  Tag
  Stored
  XSS

Stored
XSS,
also
known
as
persistent
XSS,
occurs
when
a
malicious
script
is
injected
directly
into
a
vulnerable
web
application
(e.g.,
via
a
comment
field),
causing
the
rogue
code
to
be
activated
upon
each
visit
to
the
application.

A
threat
actor
can
exploit
the
aforementioned
flaws
by
providing
a
decoy
document,
granting
the
interloper
the
ability
to
further
their
control
over
the
compromised
network,

“A
typical
attack
pattern
would
be
to
steal
the
session
cookie
that
a
locally-logged
in
administrator
is
authenticated
with,
and
reuse
that
session
cookie
to
impersonate
that
user
to
create
a
new
privileged
account,”
Tod
Beardsley,
director
of
research
at
Rapid7,

said.

In
an
alternative
scenario,
the
attacker
could
abuse
the
identity
of
the
victim
to
inject
arbitrary
commands
and
gain
stealthy
access
to
the
stored
documents.

The
cybersecurity
firm
noted
that
the
flaws
were
reported
to
the
respective
vendors
on
December
1,
2022,
and
continue
to
remain
unfixed
despite
coordinating
the
disclosures
with
CERT
Coordination
Center
(CERT/CC).

Users
of
the
affected
DMS
are
advised
to
proceed
with
caution
when
importing
documents
from
unknown
or
untrusted
sources
as
well
as
limit
the
creation
of
anonymous,
untrusted
users
and
restrict
certain
features
such
as
chats
and
tagging
to
known
users.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts