Multiple unpatched security flaws have been identified in open source and freemium document management systems (DMS) from four vendors: LogicalDOC, Mayan, ONLYOFFICE, and OpenKM.
Cybersecurity firm Rapid7 said eight vulnerabilities “allow attackers to convince human operators to store malicious documents on the platform, and once the documents are indexed and triggered by users, take control of the organization. provide a mechanism that gives attackers multiple paths to .”
A list of eight cross-site scripting (XSS) The flaws discovered by Rapid7 researcher Matthew Kienow are:
- CVE-2022-47412 – ONLYOFFICE workspace search save XSS
- CVE-2022-47413 and CVE-2022-47414 – OpenKM documents and application XSS
- CVE-2022-47415, CVE-2022-47416, CVE-2022-47417, CVE-2022-47418 – LogicalDOC multiple save XSS
- CVE-2022-47419 – Mayan EDMS Tag Stored XSS
Stored XSS, also known as persistent XSS, occurs when malicious script is injected directly into a vulnerable web application (e.g. via a comment field), activating the malicious code each time the application is accessed. Become.
A threat actor can exploit the aforementioned flaw by providing a decoy document to give an intruder the ability to gain further control over a compromised network.
“A typical attack pattern is for a locally logged-in administrator to steal an authenticated session cookie and reuse that session cookie to impersonate that user and create a new privileged account,” said Rapid7. said Tod Beardsley, director of research at Said.
In another scenario, an attacker could exploit the victim’s identity to inject arbitrary commands and gain stealth access to stored documents.
The cybersecurity firm said the flaw was reported to its respective vendor on December 1, 2022 and remains unfixed despite coordinating the disclosure with the CERT Coordination Center (CERT/CC). .
Users of affected DMS should exercise caution when importing documents from unknown or untrusted sources, limit the creation of anonymous untrusted users, and restrict certain features such as chat and tagging to known users. recommended.