Radio silence from DMS vendor quartet over XSS zero-days

Providers of vulnerable document management systems have yet to respond or release patches for serious issues reported.

Researchers have identified multiple critical vulnerabilities in document management systems (DMS) across four major enterprise vendors, who have yet to address these issues.

In a blog post released on February 7, Tod Beardsley, the director of research at Rapid7, reported that the cross-site scripting (XSS) vulnerabilities impact the vendors ONLYOFFICE, OpenKM, LogicalDOC, and Mayan.

All software assessed by Rapid7 includes on-premises, cloud, open source, or freemium DMS solutions.

“Given the serious nature of a stored XSS vulnerability in any DMS, particularly one involved in automated workflows, it is crucial for administrators to implement any vendor-supplied updates immediately,” the researchers recommend.

Nonetheless, no updates from the vendors had been reported at the time of writing.

Vulnerability Analysis

The most critical vulnerability is associated with ONLYOFFICE’s Workspace enterprise application. Labeled as CVE-2022-47412, it potentially affects versions from 0 to 12.1.0.1760. This stored XSS flaw could be exploited if an attacker manages to save a malicious document in the DMS for indexing.

Once a victim inadvertently saves the document and triggers the XSS condition, the attacker could gain access to session cookies, allowing them to create new, privileged accounts or perform a browser session hijack to access stored documents.

Additionally, two vulnerabilities, CVE-2022-47413 and CVE-2022-47414, affect OpenKM’s open source DMS version 6.3.12. CVE-2022-47413 is another stored XSS bug requiring a victim to save a malicious document in the DMS. In contrast, the other vulnerability necessitates authenticated access to the OpenKM console to exploit a stored XSS security flaw within the document ‘note’ function.

In LogicalDOC’s open source DMS, four less critical vulnerabilities were discovered. However, CVE-2022-47416, a stored XSS found in an in-app chat system, only affects the Enterprise version of the DMS.

On the other hand, CVE-2022-47415, CVE-2022-47417, and CVE-2022-47418 impact both the LogicalDOC Community Edition and Enterprise, affecting versions 8.7.3 and 8.8.2 respectively.

These vulnerabilities were identified in the in-app messaging system, stored document filenames, and version comments of the documents. All these flaws require some form of authentication or access, although Rapid7 indicates that basic guest privileges can often suffice to target administrators.

The most mild unpatched vulnerability is CVE-2022-47419, a tag-based XSS identified in Mayan’s open source DMS, EDMS Workspace, version 4.3.3.

Vendor Communication

Throughout this process, Rapid7 made attempts to contact the vendors via email addresses, support channels, and support tickets.

“Regrettably, none of these vendors managed to respond to Rapid7’s outreach regarding the disclosures, despite the disclosures being coordinated with CERT/CC,” the company stated. “Thus, these vulnerabilities are being disclosed in line with Rapid7’s vulnerability disclosure policy.”

Matthew Kienow, a researcher at Rapid7, uncovered the flaws.

The Daily Swig has reached out to each vendor for an official comment and will provide updates should any responses be received.

RELATED ARTICLES DOM XSS vulnerability in Gartner Peer Insights widget patched