A number of unpatched safety flaws have been recognized in open supply and freemium doc administration techniques (DMS) from 4 distributors: LogicalDOC, Mayan, ONLYOFFICE, and OpenKM.
Cybersecurity agency Rapid7 mentioned the eight vulnerabilities “enable attackers to persuade human operators to retailer malicious paperwork on the platform, and as soon as the paperwork are listed and triggered by customers, take management of the group. present a mechanism that provides attackers a number of paths to .”
Here’s a listing of eight cross-site scripting (XSS) flaws found by Rapid7 researcher Matthew Kienow:
- CVE-2022-47412 – ONLYOFFICE workspace search save XSS
- CVE-2022-47413 and CVE-2022-47414 – OpenKM paperwork and utility XSS
- CVE-2022-47415, CVE-2022-47416, CVE-2022-47417, CVE-2022-47418 – LogicalDOC a number of save XSS
- CVE-2022-47419 – Mayan EDMS Tag Saved XSS
Saved XSS, often known as persistent XSS, happens when malicious script is injected instantly right into a susceptible internet utility (e.g. by way of a remark area), activating the malicious code every time the applying is accessed. Grow to be.
A risk actor can exploit the aforementioned flaw by offering a decoy doc to offer an intruder the flexibility to achieve additional management over a compromised community.
“A typical assault sample is for a domestically logged-in administrator to steal an authenticated session cookie and reuse that session cookie to impersonate that consumer and create a brand new privileged account,” he mentioned. mentioned Tod Beardsley, Director of Analysis at Rapid7. .
In one other state of affairs, an attacker might exploit the sufferer’s id to inject arbitrary instructions and acquire stealth entry to saved paperwork.
The cybersecurity agency mentioned the flaw was reported to its respective vendor on December 1, 2022 and stays unfixed regardless of coordinating the disclosure with the CERT Coordination Heart (CERT/CC). .
Customers of affected DMS ought to train warning when importing paperwork from unknown or untrusted sources, restrict the creation of nameless untrusted customers, and limit sure options reminiscent of chat and tagging to recognized customers. really useful.