Multiple unpatched security flaws have been disclosed in open source and freemium Document Management System (DMS) offerings from four vendors LogicalDOC, Mayan, ONLYOFFICE, and OpenKM.
Cybersecurity firm Rapid7 said the eight vulnerabilities offer a mechanism through which "an attacker can convince a human operator to save a malicious document on the platform and, once the document is indexed and triggered by the user, giving the attacker multiple paths to control the organization."
The list of eight cross-site scripting (XSS) flaws, discovered by Rapid7 researcher Matthew Kienow, is as follows -
- CVE-2022-47412 - ONLYOFFICE Workspace Search Stored XSS
- CVE-2022-47413 and CVE-2022-47414 - OpenKM Document and Application XSS
- CVE-2022-47415, CVE-2022-47416, CVE-2022-47417, and CVE-2022-47418 - LogicalDOC Multiple Stored XSS
- CVE-2022-47419 - Mayan EDMS Tag Stored XSS
Stored XSS, also known as persistent XSS, occurs when a malicious script is injected directly into a vulnerable web application (e.g., via a comment field), causing the rogue code to be activated upon each visit to the application.
A threat actor can exploit the aforementioned flaws by providing a decoy document, granting the interloper the ability to further their control over the compromised network,
"A typical attack pattern would be to steal the session cookie that a locally-logged in administrator is authenticated with, and reuse that session cookie to impersonate that user to create a new privileged account," Tod Beardsley, director of research at Rapid7, said.
In an alternative scenario, the attacker could abuse the identity of the victim to inject arbitrary commands and gain stealthy access to the stored documents.
The cybersecurity firm noted that the flaws were reported to the respective vendors on December 1, 2022, and continue to remain unfixed despite coordinating the disclosures with CERT Coordination Center (CERT/CC).
Users of the affected DMS are advised to proceed with caution when importing documents from unknown or untrusted sources as well as limit the creation of anonymous, untrusted users and restrict certain features such as chats and tagging to known users.
Update: ONLYOFFICE has confirmed to THN that its document management software has been updated to version 7.3.3 on March 15, 2023, addressing CVE-2022-47412 described in this article.