No updates or patches have been provided by the vendors of the affected document management systems.
Recent research has highlighted several critical vulnerabilities in document management systems (DMS) affecting four enterprise-level providers, who have yet to address the security concerns.
In a blog entry released on February 7, Tod Beardsley, director of research at Rapid7, reported that the cross-site scripting (XSS) vulnerabilities are present in vendors including ONLYOFFICE, OpenKM, LogicalDOC, and Mayan.
All software scrutinized by Rapid7 include various configurations, including on-premise, cloud-based, open source, or freemium DMS solutions.
Stay informed on the latest security vulnerabilities
“Given the critical nature of a stored XSS vulnerability in a document management system, especially in automated workflows, it is imperative for administrators to implement any vendor-supplied updates promptly,” the researchers recommend.
However, as of this writing, no such updates have been issued.
Vulnerability Analysis
The most significant vulnerability was identified in ONLYOFFICE’s Workspace enterprise application platform. Designated as CVE-2022-47412, it is estimated to affect versions ranging from 0 to 12.1.0.1760. This stored XSS flaw can be exploited if a hacker succeeds in saving a malicious document within the DMS for indexing.
If a victim inadvertently saves this document, it can trigger the XSS vulnerability, allowing the attacker to capture session cookies and potentially create new privileged accounts or gain unauthorized access to stored documents.
OpenKM has two additional vulnerabilities, CVE-2022-47413 and CVE-2022-47414, which affect version 6.3.12 of its open source DMS. CVE-2022-47413 is another stored XSS flaw, while the latter requires an attacker to have authenticated access to the OpenKM console before they can exploit the stored XSS vulnerability found in the document ‘note’ feature.
LogicalDOC’s open source DMS unveiled four less severe vulnerabilities, with only CVE-2022-47416, a stored XSS within an in-app chat system, impacting the Enterprise version.
CVE-2022-47415, CVE-2022-47417, and CVE-2022-47418 affect both LogicalDOC Community Edition and Enterprise versions 8.7.3 and 8.8.2, respectively, presenting vulnerabilities found in the in-app messaging system, document file name indexes, and document version comments. Although these vulnerabilities require some form of authentication, Rapid7 indicates that guest privileges may often suffice to compromise administrators.
The least serious unpatched vulnerability is CVE-2022-47419, identified as a tag-based XSS in Mayan’s open source DMS, EDMS Workspace, version 4.3.3.
Lack of Vendor Response
In every case, Rapid7 attempted to reach the vendors through email, support channels, and submission of support tickets.
“Regrettably, none of the vendors were able to respond to our disclosures, despite having previously coordinated with CERT/CC,” Rapid7 stated. “Consequently, we are disclosing these issues as per our vulnerability disclosure policy.”
Rapid7 researcher Matthew Kienow was responsible for identifying these vulnerabilities.
The Daily Swig contacted each vendor for further comments and will update this article upon receiving their responses.
YOU MAY ALSO LIKE Gartner Peer Insights widget fixes DOM XSS vulnerability
Based on an article from ports wigger: https://portswigger.net/daily-swig/radio-silence-from-dms-vendor-quartet-over-xss-zero-days
