Multiple unpatched safety flaws have been disclosed in open supply and freemium Document Management System (DMS) choices from 4 distributors LogicalDOC, Mayan, ONLYOFFICE, and OpenKM.
Cybersecurity agency Rapid7 stated the eight vulnerabilities supply a mechanism via which “an attacker can persuade a human operator to avoid wasting a malicious doc on the platform and, as soon as the doc is listed and triggered by the person, giving the attacker a number of paths to manage the group.”
The listing of eight cross-site scripting (XSS) flaws, found by Rapid7 researcher Matthew Kienow, is as follows –
- CVE-2022-47412 – ONLYOFFICE Workspace Search Stored XSS
- CVE-2022-47413 and CVE-2022-47414 – OpenKM Document and Application XSS
- CVE-2022-47415, CVE-2022-47416, CVE-2022-47417, and CVE-2022-47418 – LogicalDOC Multiple Stored XSS
- CVE-2022-47419 – Mayan EDMS Tag Stored XSS
Stored XSS, often known as persistent XSS, happens when a malicious script is injected instantly right into a susceptible net software (e.g., by way of a remark discipline), inflicting the rogue code to be activated upon every go to to the applying.
A risk actor can exploit the aforementioned flaws by offering a decoy doc, granting the interloper the power to additional their management over the compromised community,
“A typical assault sample can be to steal the session cookie {that a} locally-logged in administrator is authenticated with, and reuse that session cookie to impersonate that person to create a brand new privileged account,” Tod Beardsley, director of analysis at Rapid7, stated.
In an alternate state of affairs, the attacker may abuse the id of the sufferer to inject arbitrary instructions and achieve stealthy entry to the saved paperwork.
The cybersecurity agency famous that the issues have been reported to the respective distributors on December 1, 2022, and proceed to stay unfixed regardless of coordinating the disclosures with CERT Coordination Center (CERT/CC).
Users of the affected DMS are suggested to proceed with warning when importing paperwork from unknown or untrusted sources in addition to restrict the creation of nameless, untrusted customers and limit sure options akin to chats and tagging to identified customers.