Researchers have disclosed a raft of serious document management system (DMS) vulnerabilities impacting four enterprise vendors who have not yet resolved the issues.
In a blog post published on Tuesday (February 7), Tod Beardsley, director of research at Rapid7, said the cross-site scripting (XSS) flaws affected vendors ONLYOFFICE, OpenKM, LogicalDOC, and Mayan.
All software examined by Rapid7 are on-prem, cloud, open source, or freemium DMS solutions.
“Given the high severity of a stored XSS vulnerability in a document management system, especially one that is often part of automated workflows, administrators are urged to apply any vendor-supplied updates on an emergency basis,” the researchers advise.
No such updates have emerged at the time of writing, however.
Bug breakdown
The most severe issue belongs to ONLYOFFICE’s Workspace enterprise app platform. Tracked as CVE-2022-47412 and believed to impact versions from 0 through 12.1.0.1760, the stored cross-site scripting (XSS) vulnerability could be exploited if an attacker can ensure a malicious document is saved in the DMS for indexing.
When a victim has unwittingly saved the document and triggered the XSS condition, an attacker could steal session cookies to create new, privileged accounts or perform a browser session hook and secure access to stored documents.
Another two vulnerabilities, CVE-2022-47413 and CVE-2022-47414, impact OpenKM’s open source DMS version 6.3.12. CVE-2022-47413 is another stored XSS bug that requires a victim to save a malicious document in the DMS. The other vulnerability requires an attacker to have authenticated access to the OpenKM console. If they meet this condition, a stored XSS security flaw can be reached in the document ‘note’ function.
Four less severe vulnerabilities were discovered in LogicalDOC’s open source DMS. However, CVE-2022-47416, a stored XSS in an in-app chat system, is the only one that only impacts the Enterprise version of the DMS.
However, CVE-2022-47415, CVE-2022-47417, and CVE-2022-47418 all impact LogicalDOC Community Edition and Enterprise, versions 8.7.3 and 8.8.2, respectively.
These vulnerabilities were found in the in-app messaging system, stored document file name indexes, and stored document version comments. All required some form of authentication or access, although Rapid7 says that guest privilege alone is often enough to target administrators.
The final, least severe unpatched vulnerability is CVE-2022-47419, a tag-based XSS found in Mayan’s open source DMS, EDMS Workspace, version 4.3.3.
No response
In all instances, Rapid7 attempted to contact the vendors via email addresses, support channels, and support tickets.
“Unfortunately, none of these vendors were able to respond to Rapid7’s disclosure outreach, despite having coordinated these disclosures with CERT/CC,” the company said. “As such, these issues are being disclosed in accordance with Rapid7’s vulnerability disclosure policy.”
Rapid7 told The Daily Swig that none of the organizations have been in contact since the disclosure.
Rapid7 researcher Matthew Kienow discovered the flaws.
The Daily Swig has reached out to each vendor for comment. We will update this story if and when we hear back.
Source: https://portswigger.net/daily-swig/radio-silence-from-dms-vendor-quartet-over-xss-zero-days