Unpatched Security Flaws Disclosed in Multiple Document Management Systems

Feb 08, 2023Ravie LakshmananVulnerability Management

Multiple unpatched security flaws have been disclosed in open
source and freemium Document Management System (DMS) offerings from
four vendors LogicalDOC, Mayan, ONLYOFFICE, and OpenKM.

Cybersecurity firm Rapid7 said the eight vulnerabilities offer a
mechanism through which “an attacker can convince a human operator
to save a malicious document on the platform and, once the document
is indexed and triggered by the user, giving the attacker multiple
paths to control the organization.”

The list of eight cross-site scripting (XSS^[1]) flaws, discovered by
Rapid7 researcher Matthew Kienow, is as follows –

• CVE-2022-47412 – ONLYOFFICE Workspace Search
  Stored XSS
• CVE-2022-47413 and CVE-2022-47414 – OpenKM
  Document and Application XSS
• CVE-2022-47415, CVE-2022-47416, CVE-2022-47417, and
  CVE-2022-47418 – LogicalDOC Multiple Stored XSS
• CVE-2022-47419 – Mayan EDMS Tag Stored
  XSS

Stored XSS, also known as persistent XSS, occurs when a
malicious script is injected directly into a vulnerable web
application (e.g., via a comment field), causing the rogue code to
be activated upon each visit to the application.

A threat actor can exploit the aforementioned flaws by providing
a decoy document, granting the interloper the ability to further
their control over the compromised network,

“A typical attack pattern would be to steal the session cookie
that a locally-logged in administrator is authenticated with, and
reuse that session cookie to impersonate that user to create a new
privileged account,” Tod Beardsley, director of research at Rapid7,
said^[2].

In an alternative scenario, the attacker could abuse the
identity of the victim to inject arbitrary commands and gain
stealthy access to the stored documents.

The cybersecurity firm noted that the flaws were reported to the
respective vendors on December 1, 2022, and continue to remain
unfixed despite coordinating the disclosures with CERT Coordination
Center (CERT/CC).

Users of the affected DMS are advised to proceed with caution
when importing documents from unknown or untrusted sources as well
as limit the creation of anonymous, untrusted users and restrict
certain features such as chats and tagging to known users.