Eight unpatched security vulnerabilities have been found in open-source and freemium document management systems (DMS) offered by four vendors, LogicalDOC, Mayan, ONLYOFFICE, and OpenKM.
These flaws were revealed by cybersecurity firm Rapid7 and allow for a malicious actor to trick a user into saving a harmful document on the platform, and once indexed, the attacker can gain control over the organization.
The eight cross-site scriptings (XSS) flaws, discovered by Rapid7 researcher Matthew Kienow, include ONLYOFFICE Workspace Search Stored XSS, OpenKM Document and Application XSS, and multiple LogicalDOC Stored XSS, as well as Mayan EDMS Tag Stored XSS.
According to Tod Beardsley, Director of Research at Rapid7, a typical attack pattern could be to steal the session cookie of a locally logged-in administrator and use that session cookie to impersonate the user and create a new privileged account.
The attacker could also abuse the victim’s identity to inject arbitrary commands and gain access to stored documents.
Rapid7 reported these flaws to the vendors on December 1, 2022, and they still remain unfixed despite coordinating with the CERT Coordination Center (CERT/CC).
As a precaution, users of affected DMS are urged to be cautious when importing documents from unknown or untrusted sources and to limit the creation of anonymous users, as well as restrict certain features like chats and tagging to known users.