Many unpatched security flaws have been disclosed in open source and freemium Doc Management Program (DMS) offerings from four vendors LogicalDOC, Mayan, ONLYOFFICE, and OpenKM.
Cybersecurity company Rapid7 reported the 8 vulnerabilities offer you a mechanism as a result of which “an attacker can convince a human operator to conserve a malicious document on the platform and, once the doc is indexed and brought on by the person, supplying the attacker a number of paths to management the organization.”
The checklist of eight cross-web page scripting (XSS) flaws, found out by Rapid7 researcher Matthew Kienow, is as follows –

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
- CVE-2022-47412 – ONLYOFFICE Workspace Research Saved XSS
- CVE-2022-47413 and CVE-2022-47414 – OpenKM Document and Application XSS
- CVE-2022-47415, CVE-2022-47416, CVE-2022-47417, and CVE-2022-47418 – LogicalDOC Multiple Saved XSS
- CVE-2022-47419 – Mayan EDMS Tag Saved XSS
Saved XSS, also acknowledged as persistent XSS, occurs when a destructive script is injected directly into a susceptible web software (e.g., through a remark area), causing the rogue code to be activated upon each individual visit to the software.
A risk actor can exploit the aforementioned flaws by giving a decoy document, granting the interloper the skill to additional their regulate about the compromised network,
“A usual attack sample would be to steal the session cookie that a regionally-logged in administrator is authenticated with, and reuse that session cookie to impersonate that consumer to make a new privileged account,” Tod Beardsley, director of investigate at Immediate7, reported.
In an choice situation, the attacker could abuse the identification of the victim to inject arbitrary commands and obtain stealthy obtain to the stored documents.
The cybersecurity firm mentioned that the flaws were described to the respective distributors on December 1, 2022, and continue to remain unfixed irrespective of coordinating the disclosures with CERT Coordination Center (CERT/CC).
Buyers of the impacted DMS are recommended to move forward with caution when importing documents from mysterious or untrusted resources as properly as limit the development of nameless, untrusted consumers and prohibit selected functions these as chats and tagging to identified buyers.
Found this report intriguing? Follow us on Twitter and LinkedIn to browse additional distinctive articles we post.
Some pieces of this write-up are sourced from:
thehackernews.com