Multiple Document Management XSS Flaw

Rapid7 uncovered a number of vulnerabilities with on-premises installations of open-source and freemium Document Management System (DMS) services from four different vendors: LogicalDOC, Mayan, ONLYOFFICE, and OpenKM.

The eight vulnerabilities, according to Rapid7, provide a mechanism by which an attacker can convince a human operator to save a malicious document on the platform and, after the document is indexed and activated by the user, offer the attacker multiple paths to control the organization.

Rapid7 researcher Matthew Kienow found all of these flaws, which were then validated by Rapid7’s security sciences team.

List of Eight Cross-Site Scripting (XSS) Vulnerabilities

  • CVE-2022-47412 – ONLYOFFICE Workspace Search Stored XSS.
  • CVE-2022-47413, CVE-2022-47414 – OpenKM Document and Application XSS
  • CVE-2022-47415, CVE-2022-47416, CVE-2022-47417, and CVE-2022-47418 – LogicalDOC Multiple Stored XSS
  • CVE-2022-47419 – Mayan EDMS Tag Stored XSS

The vulnerability was tracked as (CVE-2022-47412) in ONLYOFFICE Workspace Search Stored XSS. In this case, the ONLYOFFICE Workspace DMS is susceptible to a stored (persistent, or “Type II”) cross-site scripting (XSS) attack in the case that an attacker provides a malicious document.

“This vulnerability was identified in testing against ONLYOFFICE Workspace Version 12.1.0.1760. It is likely the vulnerability exists in previous versions of the software as well as the Enterprise offering”, Rapid7.

The success of the attack depends on the attacker’s ability to access a document saved in the DMS for indexing. Additionally, this may convince a human worker to store the malicious file on the attacker’s behalf manually. Alternatively, an insider could index their file and wait for another user to trigger the XSS situation.

Also, once the stored document has been indexed, the attacker must wait for or convince, a user to activate it using ONLYOFFICE Workspace’s search capabilities.

Two XSS vulnerabilities (CVE-2022-47413), (CVE-2022-47414) were discovered in OpenKM, a popular DMS. Given a malicious document provided by an attacker, the OpenKM DMS is vulnerable to a stored (persistent, or “Type II”) XSS condition.

In the second issue, an attacker needs direct access to OpenKM in order to create a malicious “note” that is attached to a saved document.

Four XSS vulnerabilities (CVE-2022-47415 through CVE-2022-47418) were discovered in the LogicalDOC DMS.

“Successful XSS exploitation was observed in the in-product messaging system, the chat system, stored document file name indexes, and stored document version comments”, Rapid7.

These vulnerabilities were identified in testing against LogicalDOC Enterprise version 8.8.2 and Community version 8.7.3. 

In this case, since the “Guest” access level frequently has the ability to conduct these stored XSS attacks against more privileged users, administrators should restrict the creation of anonymous, untrusted users for the vulnerable DMS.

Finally, Mayan EDMS DMS has XSS vulnerability (CVE-2022-47419), which has been identified. The in-product tagging system was shown to be successfully exploiting XSS.

Mayan EDMS Workspace is an Apache-licensed DMS, available as an on-prem or cloud-hosted collaboration platform. This vulnerability was identified in testing against Mayan EDMS Version 4.3.3 (Build number: v4.3.3_Tue Nov 15 18:12:36 2022 -0500).

“A typical attack pattern would be to steal the session cookie that a locally logged in administrator is authenticated with, and reuse that session cookie to impersonate that user to create a new privileged account,” Rapid7.

“The attacker would have access to the stored documents, which may be critically important to the targeted organization”. 

Users of the impacted DMS are advised to take caution when importing documents from unidentified or suspect sources, limit the creation of anonymous, suspicious users, and limit access to features, such as chats and tagging, to known users.

Update (3/16/2023): The vulnerability(CVE-2022-4741) found in ONLYOFFICE has been fixed. You can find more details here.

Network Security Checklist – Download Free E-Book

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.