reports that widely used on-premises and cloud-hosted document management system solutions by Mayan, OnlyOffice, LogicalDOC, and OpenKM are being impacted by eight cross-site scripting flaws
, which could be exploited to enable sensitive document access.
Any of the flaws could be leveraged to facilitate admin session cookie theft and user impersonation to obtain DMS access. OnlyOffice Workspace 126.96.36.1990 is affected by the most severe of the bugs, tracked as CVE-2022-47412, which requires luring victims into opening a malicious DMS-stored document through embedded search, according to Rapid7. Four of the XSS vulnerabilities, tracked from CVE-2022-47415 to CVE-2022-47418, impact LogicalDOC CE/Enterprise 8.7.3/8.8.2 and LogicalDOC Enterprise 8.8.2, while two others, tracked as CVE-2022-47413 and CVE-2022-47414, affect OpenKM 6.3.12, the latter of which requires OpenKM console access.
Moreover, the Mayan EDMS 4.3.3 vulnerability, tracked as CVE-2022-47419, was found to affect its in-product tagging system.
"Given the high severity of a stored XSS vulnerability in a document management system, especially one that is often part of automated workflows, administrators are urged to apply any vendor-supplied updates on an emergency basis," said Rapid7.
However, none of the vendors have moved to remediate the vulnerabilities.
Updated March 16, 2023:
OnlyOffice has fixed the XSS vulnerability, and has posted documentation on GitHub here