Radio silence from DMS vendor quartet over XSS zero-days

No updates or patches have been received from the providers of vulnerable document management systems.

Researchers have uncovered a series of critical vulnerabilities in document management systems (DMS) affecting four enterprise-level vendors, all of whom have yet to address these issues.

In a blog post dated February 7, Tod Beardsley, the director of research at Rapid7, revealed that the cross-site scripting (XSS) vulnerabilities are present in products from ONLYOFFICE, OpenKM, LogicalDOC, and Mayan.

The software analyzed by Rapid7 consists of on-premise, cloud-based, open-source, and freemium DMS solutions.

Stay updated on the latest security vulnerability news.

“Given the critical nature of a stored XSS vulnerability within a DMS, particularly one integrated into automated workflows, administrators are strongly advised to implement any updates from the vendors as a priority,” the researchers caution.

However, as of now, no updates have been issued.

Vulnerability Breakdown

The most severe vulnerability is associated with ONLYOFFICE’s Workspace enterprise application platform. Identified as CVE-2022-47412, it is believed to affect versions ranging from 0 to 12.1.0.1760. This stored cross-site scripting vulnerability can be exploited if an attacker successfully stores a malicious document in the DMS.

If a victim inadvertently saves the malicious document, the XSS condition is triggered, enabling the attacker to steal session cookies to create new privileged accounts or hijack browser sessions for access to stored documents.

In addition, two vulnerabilities identified as CVE-2022-47413 and CVE-2022-47414 affect OpenKM’s open-source DMS version 6.3.12. CVE-2022-47413 is another stored XSS vulnerability requiring a victim to save a malicious document; conversely, the other requires authenticated access to the OpenKM console.

Four additional vulnerabilities were detected in LogicalDOC’s open-source DMS. However, the only one that affects solely the Enterprise version is CVE-2022-47416, a stored XSS flaw located in the in-app chat system.

The other vulnerabilities, CVE-2022-47415, CVE-2022-47417, and CVE-2022-47418, impact both Community and Enterprise editions, specifically versions 8.7.3 and 8.8.2, respectively.

These vulnerabilities reside within the in-app messaging system, stored document file name indexes, and stored document version comments. While they require some form of authentication to exploit, Rapid7 notes that even guest privileges may suffice to target administrators.

The least severe unpatched vulnerability is CVE-2022-47419, which is a tag-based XSS flaw identified in Mayan’s open-source DMS, version 4.3.3.

No Vendor Response

In all cases, Rapid7 made attempts to reach out to the vendors through email, support channels, and support tickets.

“Unfortunately, none of the vendors responded to Rapid7’s outreach regarding the disclosure, despite the coordination with CERT/CC,” the company stated. “As a result, these findings are being made public in line with Rapid7’s vulnerability disclosure policy.”

Rapid7 has informed The Daily Swig that no communication was received from any of the organizations following the disclosure.

Matthew Kienow, a Rapid7 researcher, was responsible for identifying these vulnerabilities.

The team at The Daily Swig has contacted each vendor for comment, and updates will be provided as responses are received.

READ MORE DOM XSS vulnerability in Gartner Peer Insights widget has been patched