![]() ![]() The attack hinges on the ability of the attacker to get a document saved in the DMS for indexing. The test instance was installed using the Docker image and the instructions for installing ONLYOFFICE Workspace using the provided script. It is likely the vulnerability exists in previous versions of the software as well as the Enterprise offering. This vulnerability was identified in testing against ONLYOFFICE Workspace Version 12. Read more about ONLYOFFICE at the vendor's website. ONLYOFFICE Workspace is an AGPL licensed DMS, available as an on-prem or cloud-hosted collaboration platform. Given a malicious document provided by an attacker, the ONLYOFFICE Workspace DMS is vulnerable to a stored (persistent, or "Type II") cross-site scripting (XSS) condition. CVE-2022-47412: ONLYOFFICE Workspace Search Stored XSS When we become aware of patches or vendor advisories, we will update this advisory with that information. As such, these issues are being disclosed in accordance with Rapid7's vulnerability disclosure policy. Unfortunately, none of these vendors were able to respond to Rapid7's disclosure outreach, despite having coordinated these disclosures with CERT/CC. VendorĪll of these issues were discovered by Rapid7 researcher Matthew Kienow, and validated by Rapid7's security sciences team. The issues are summarized in the table below. While all of the discovered issues are instances of CWE-79: Improper Neutralization of Input During Web Page Generation, in this disclosure, we have ordered them from most severe to least. In the Email tab you put your mail address and a signature that will be applied to the outgoing messages when you send emails using LogicalDOC.Through the course of routine security testing and analysis, Rapid7 has discovered several issues in on-premises installations of open source and freemium Document Management System (DMS) offerings from four vendors. Date formats: date formats to override the default format.Search preference: how the different kind of searches mus be ordered in the Search screen.Workspace: the default workspace selected in the folders navigator.Welcome screen: the screen you are dropped in when you enter the system.In the tab User Interface you customize some aspects of the interface. The Language is the most relevant setting because it defines the default language to use when you login. Here you fill your informations and can also change the avatar image by right clicking on the current one and upload one of your photos. You can manage the details of your profile by opening the menu Account > Profile In the left corner of the screen, there is a status message bar that the system utilizes to depict some events.īy clicking on each icon in the status bar, you will be redirected to the specific screen. Documents locked or checked out (in editing).In this area, located at the bottom of the desktop screen, the user has access to some general information, such: Administration: the administrative area viewable only to administrators.Įach user can select what is displayed in the work area after logging into his/her personal profile under Account > Profile Status bar.Search: here, you search using one of the search tools available (full text, tags, etc.).Documents: here, you can navigate the folders and manage your documents.Dashboard: location where you can see various alerts and statistics regarding the documents that you have access to in the system.Screensīelow the menu bar are four different tabs, each representing a specific function: In the same menu bar, you can also find a ‘quick search’ box in which you can type in a full-text expression. The “File” item gives you the option to terminate the current session. ![]() The main menu contains the items needed to access your personal information and the most important information regarding your installation, such as the online manual or the vendor credits. The title bar with the application logo.Once logged in, a desktop is displayed with the following four main areas: If you forgot your credentials, please click on the “Forgot password” link, and you will be guided through the password reset process. On this screen you can also choose to save the credentials on your local machine for quicker access in the future. If you do not specify a language, the user's last used language will be used. Once there, a login form is presented in which you have to enter your username, password, and, optionally, select a language which will drive the language of the menus in the system. In order to log on to the system, you have to point your browser to the URL where LogicalDOC is installed (this may be an address on your network). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |