Multiple Vulnerabilities Identified in Document Management Systems
Recent findings have highlighted several security vulnerabilities across prominent open-source and freemium Document Management Systems (DMS) offered by four vendors: LogicalDOC, Mayan, ONLYOFFICE, and OpenKM. These unpatched flaws expose organizations to potentially severe cyber threats.
Cybersecurity firm Rapid7 has reported eight critical vulnerabilities that could allow malicious actors to exploit these systems. The firm’s researcher, Matthew Kienow, noted that attackers may be able to manipulate human operators into saving harmful documents. Once these documents are indexed and activated by users, attackers gain multiple avenues to control compromised networks.
The reported vulnerabilities, classified as cross-site scripting (XSS) flaws, include issues that can be exploited through stored scripts, which persist even after the initial injection. Specifically, among the identified vulnerabilities are CVE-2022-47412—affecting ONLYOFFICE Workspace—and CVE-2022-47413 and CVE-2022-47414 related to OpenKM. Additionally, LogicalDOC has multiple vulnerabilities under CVE-2022-47415 to CVE-2022-47418, along with CVE-2022-47419 impacting the Mayan EDMS platform.
Stored XSS vulnerabilities allow attackers to insert malicious scripts into web applications. This means that whenever a user accesses the affected application, the harmful code can automatically execute, enabling attackers to compromise user accounts or retrieve sensitive information. A common exploitation method might involve stealing session cookies associated with administrator accounts to impersonate these users and create unauthorized privileged accounts.
In another scenario, attackers could use the victim’s credentials to issue arbitrary commands, gaining covert access to sensitive documents stored within the affected systems. The repercussions of such exploits are profound, threatening the integrity and confidentiality of organizational data.
Rapid7 has confirmed that the vulnerabilities were reported to the respective vendors on December 1, 2022, yet no resolutions have been implemented. Despite coordination efforts with the CERT Coordination Center, the issues persist. Users of the affected DMS platforms are urged to exercise caution, particularly when dealing with documents from unverified sources. Limiting the creation of anonymous accounts and restricting features such as chat and tagging to trusted users are prudent steps.
In a positive development, ONLYOFFICE has announced an upgrade to its document management software, version 7.3.3, released on March 15, 2023, effectively addressing CVE-2022-47412. However, many other vulnerabilities remain unpatched, ensuring that organizations remain at risk.
As these vulnerabilities continue to pose a threat, particularly in targeting organizations that leverage these DMS platforms, it is crucial for businesses to stay informed and adopt comprehensive cybersecurity practices. Monitoring for ongoing updates and vulnerability disclosures is essential in mitigating potential attacks that may exploit these known weaknesses.