Unpatched Security Flaws Disclosed in Multiple Document Management Systems
Feb 08, 2023
Vulnerability Management
Multiple unpatched security flaws have been disclosed in open source and freemium Document Management System (DMS) offerings from four vendors LogicalDOC, Mayan, ONLYOFFICE, and OpenKM. Cybersecurity firm Rapid7 said the eight vulnerabilities offer a mechanism through which "an attacker can convince a human operator to save a malicious document on the platform and, once the document is indexed and triggered by the user, giving the attacker multiple paths to control the organization." The list of eight cross-site scripting ( XSS ) flaws, discovered by Rapid7 researcher Matthew Kienow, is as follows - CVE-2022-47412 - ONLYOFFICE Workspace Search Stored XSS CVE-2022-47413 and CVE-2022-47414 - OpenKM Document and Application XSS CVE-2022-47415, CVE-2022-47416, CVE-2022-47417, and CVE-2022-47418 - LogicalDOC Multiple Stored XSS CVE-2022-47419 - Mayan EDMS Tag Stored XSS Stored XSS, also known as persistent XSS, occurs when a malicious script is injected directly into