Multiple Document Management XSS Flaw Let Attackers Access Sensitive Documents

by Esmeralda McKenzie
Multiple Document Management XSS Flaw Let Attackers Access Sensitive Documents

Multiple Document Management XSS Flaw Let Attackers Access Sensitive Documents

More than one Doc Management XSS Flaw

Rapid7 uncovered a alternative of vulnerabilities with on-premises installations of originate-supply and freemium Doc Management Map (DMS) products and companies from four moderately a pair of distributors: LogicalDOC, Mayan, ONLYOFFICE, and OpenKM.

The eight vulnerabilities, in accordance with Rapid7, provide a mechanism wherein an attacker can convince a human operator to attach a malicious yell on the platform and, after the yell is indexed and activated by the user, supply the attacker extra than one paths to manage the organization.

Rapid7 researcher Matthew Kienow stumbled on all of these flaws, which beget been then validated by Rapid7’s security sciences crew.

List of Eight Unhealthy-Build of residing Scripting (XSS) Vulnerabilities

  • CVE-2022-47412 – ONLYOFFICE Workspace Search Kept XSS.
  • CVE-2022-47413, CVE-2022-47414 – OpenKM Doc and Application XSS
  • CVE-2022-47415, CVE-2022-47416, CVE-2022-47417, and CVE-2022-47418 – LogicalDOC More than one Kept XSS
  • CVE-2022-47419 – Mayan EDMS Trace Kept XSS
cwV rCWUL3DE7MP LNIlYlXDgFFYmib1zV7AQOe1o9z3Mcc rm2DYiHSSBF6yI9yeaj8gqqBFVrbZ kFX7eYrKHWl1FmyOkAty1NhxLNPXJXBJHGmblgy7yjLcWIkCm vCobVsQvAhGuzt 9 u V5w

The vulnerability used to be tracked as (CVE-2022-47412) in ONLYOFFICE Workspace Search Kept XSS. On this case, the ONLYOFFICE Workspace DMS is inclined to a saved (persistent, or “Form II”) inappropriate-attach scripting (XSS) assault in the case that an attacker gives a malicious yell.

“This vulnerability used to be identified in finding out against ONLYOFFICE Workspace Version 12.1.0.1760. It’s seemingly the vulnerability exists in outdated variations of the machine as well to the Endeavor offering”, Rapid7.

The success of the assault depends on the attacker’s skill to derive entry to a yell saved in the DMS for indexing. Furthermore, this could per chance per chance convince a human worker to retailer the malicious file on the attacker’s behalf manually. Alternatively, an insider may per chance per chance per chance index their file and preserve up for one other user to location off the XSS field.

Furthermore, once the saved yell has been indexed, the attacker need to preserve up for or convince, a user to suggested it the utilize of ONLYOFFICE Workspace’s search capabilities.

Two XSS vulnerabilities (CVE-2022-47413), (CVE-2022-47414) had been stumbled on in OpenKM, a most standard DMS. Given a malicious yell supplied by an attacker, the OpenKM DMS is weak to a saved (persistent, or “Form II”) XSS condition.

Within the 2nd grief, an attacker wants mutter derive entry to to OpenKM in verbalize to make a malicious “existing” that is linked to a saved yell.

Four XSS vulnerabilities (CVE-2022-47415 through CVE-2022-47418) had been stumbled on in the LogicalDOC DMS.

“Worthwhile XSS exploitation used to be observed in the in-product messaging draw, the chat draw, saved yell file title indexes, and saved yell version feedback”, Rapid7.

These vulnerabilities had been identified in finding out against LogicalDOC Endeavor version 8.8.2 and Neighborhood version 8.7.3.

On this case, for the reason that “Guest” derive entry to level continually has the flexibility to habits these saved XSS attacks against extra privileged users, administrators may per chance per chance per chance nonetheless restrict the appearance of nameless, untrusted users for the weak DMS.

Lastly, Mayan EDMS DMS has XSS vulnerability (CVE-2022-47419), which has been identified. The in-product tagging draw used to be shown to be successfully exploiting XSS.

Mayan EDMS Workspace is an Apache-licensed DMS, available as an on-prem or cloud-hosted collaboration platform. This vulnerability used to be identified in finding out against Mayan EDMS Version 4.3.3 (Originate amount: v4.3.3_Tue Nov 15 18:12:36 2022 -0500).

“A conventional assault sample would be to take the session cookie that a domestically logged in administrator is authenticated with, and reuse that session cookie to impersonate that user to make a original privileged story,” Rapid7.

“The attacker would beget derive entry to to the saved paperwork, which can per chance per chance be seriously important to the focused organization”.

Customers of the impacted DMS are urged to rob caution when importing paperwork from unidentified or suspect sources, restrict the appearance of nameless, suspicious users, and restrict derive entry to to aspects, equivalent to chats and tagging, to identified users.

Update (3/16/2023): The vulnerability(CVE-2022-4741) stumbled on in ONLYOFFICE has been mounted. You’re going to be in a situation to web extra puny print right here.

Source credit : cybersecuritynews.com

Related Posts