Providers of vulnerable document management systems have yet to respond or issue patches for reported security issues.
Recent research has revealed several significant vulnerabilities in document management systems (DMS) affecting four major enterprise vendors, none of which have yet made any corrections to the issues.
A blog post released on February 7 highlights insights from Tod Beardsley, Director of Research at Rapid7, detailing cross-site scripting (XSS) flaws that impact the vendors ONLYOFFICE, OpenKM, LogicalDOC, and Mayan.
The examined software consists of on-premise, cloud, open-source, or freemium DMS options.
Stay updated on the latest in security vulnerabilities
“Considering the critical nature of a stored XSS vulnerability in a document management system, especially one utilized in automated workflows, administrators are strongly advised to implement any available vendor-supplied updates immediately,” the researchers recommend.
As of this writing, there have been no updates from the vendors.
Detailed Vulnerability Analysis
The most critical vulnerability is associated with ONLYOFFICE’s Workspace enterprise application platform. Known as CVE-2022-47412 and affecting versions 0 through 12.1.0.1760, this stored XSS vulnerability could potentially be exploited if an attacker manages to upload a malicious document to the DMS for indexing.
Once the victim saves this document, activating the XSS exploit could allow the attacker to capture session cookies, create unauthorized accounts with elevated privileges, or gain access to secure documents through session hijacking.
Other critical vulnerabilities include CVE-2022-47413 and CVE-2022-47414, which affect OpenKM’s open-source DMS version 6.3.12. The first is also a stored XSS issue requiring a victim to save a harmful document. The second vulnerability necessitates authenticated access to OpenKM’s console, where an XSS flaw can be exploited within the document ‘note’ feature.
LogicalDOC’s open-source DMS has four vulnerabilities, but only CVE-2022-47416, a stored XSS in an in-app chat feature, affects the Enterprise version alone.
CVE-2022-47415, CVE-2022-47417, and CVE-2022-47418 pose risks to both LogicalDOC Community Edition and Enterprise versions, found in the messaging system, document file name indexes, and version comments. While authentication is generally required, guest access may suffice to compromise administrator accounts.
The least severe unpatched vulnerability is CVE-2022-47419, an XSS issue arising from tag functions in Mayan’s open-source DMS, EDMS Workspace, version 4.3.3.
Vendor Communication Lapses
In every case, Rapid7 made extensive efforts to reach out to the vendors using emails, support channels, and tickets.
“Regrettably, none of these vendors responded to Rapid7’s outreach concerning their disclosure, despite the coordination of these reports with CERT/CC,” the company stated. “Therefore, these vulnerabilities are being disclosed in line with Rapid7’s vulnerability disclosure policy.”
Rapid7 has informed The Daily Swig that no vendor has contacted them following the disclosures.
Rapid7 researcher Matthew Kienow identified these vulnerabilities.
The Daily Swig has reached out to all vendors for their comments. Updates to this information will be provided when received.
YOU MAY ALSO LIKE DOM XSS vulnerability in Gartner Peer Insights widget patched
Based on an article from ports wigger.net: https://portswigger.net/daily-swig/radio-silence-from-dms-vendor-quartet-over-xss-zero-days
