A number of unpatched safety flaws have been disclosed in open supply and freemium Doc Administration System (DMS) choices from 4 distributors LogicalDOC, Mayan, ONLYOFFICE, and OpenKM.
Cybersecurity agency Rapid7 stated the eight vulnerabilities provide a mechanism by means of which “an attacker can persuade a human operator to avoid wasting a malicious doc on the platform and, as soon as the doc is listed and triggered by the consumer, giving the attacker a number of paths to manage the group.”
The record of eight cross-site scripting (XSS) flaws, found by Rapid7 researcher Matthew Kienow, is as follows –
- CVE-2022-47412 – ONLYOFFICE Workspace Search Saved XSS
- CVE-2022-47413 and CVE-2022-47414 – OpenKM Doc and Software XSS
- CVE-2022-47415, CVE-2022-47416, CVE-2022-47417, and CVE-2022-47418 – LogicalDOC A number of Saved XSS
- CVE-2022-47419 – Mayan EDMS Tag Saved XSS
Saved XSS, often known as persistent XSS, happens when a malicious script is injected straight right into a weak internet utility (e.g., through a remark discipline), inflicting the rogue code to be activated upon every go to to the applying.
A menace actor can exploit the aforementioned flaws by offering a decoy doc, granting the interloper the power to additional their management over the compromised community,
“A typical assault sample can be to steal the session cookie {that a} locally-logged in administrator is authenticated with, and reuse that session cookie to impersonate that consumer to create a brand new privileged account,” Tod Beardsley, director of analysis at Rapid7, stated.
In an alternate state of affairs, the attacker might abuse the id of the sufferer to inject arbitrary instructions and achieve stealthy entry to the saved paperwork.
The cybersecurity agency famous that the failings have been reported to the respective distributors on December 1, 2022, and proceed to stay unfixed regardless of coordinating the disclosures with CERT Coordination Heart (CERT/CC).
Customers of the affected DMS are suggested to proceed with warning when importing paperwork from unknown or untrusted sources in addition to restrict the creation of nameless, untrusted customers and prohibit sure options resembling chats and tagging to identified customers.
