CVE-2022-45175 in Collaboration vDesk
Summary
by MITRE • 04/14/2023
An issue was discovered in LIVEBOX Collaboration vDesk through v018. An Insecure Direct Object Reference can occur under the 5.6.5-3/doc/{ID-FILE]/c/{N]/{C]/websocket endpoint. A malicious unauthenticated user can access cached files in the OnlyOffice backend of other users by guessing the file ID of a target file.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/14/2023
The vulnerability CVE-2022-45175 represents a critical Insecure Direct Object Reference flaw within the LIVEBOX Collaboration vDesk platform, specifically affecting versions through v018. This security weakness manifests within the websocket endpoint structure at 5.6.5-3/doc/{ID-FILE]/c/{N]/{C]/websocket, creating an exploitable pathway for unauthorized access to sensitive user data. The flaw stems from insufficient input validation and access control mechanisms that fail to properly authenticate or authorize requests before granting access to backend resources.
The technical implementation of this vulnerability allows a malicious actor to exploit a predictable file identification system within the OnlyOffice backend infrastructure. By systematically guessing or enumerating file IDs, an unauthenticated attacker can bypass normal access controls and retrieve cached documents belonging to other users. This represents a fundamental breakdown in the principle of least privilege and proper object reference validation, where the system fails to verify that the requesting entity has legitimate authorization to access the specified resource.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables unauthorized data access that could compromise user privacy and sensitive business information. Attackers can potentially access confidential documents, personal data, or proprietary content that should remain restricted to authorized users only. The vulnerability affects the entire user base of the platform, as the issue lies within the core document access mechanism rather than specific user accounts or files. This creates a significant risk for organizations relying on the platform for collaborative work environments where document security is paramount.
From a cybersecurity perspective, this vulnerability aligns with CWE-284 (Improper Access Control) and maps to ATT&CK technique T1213.002 (Data from Information Repositories) in the credential access and collection domain. The flaw represents a classic example of how insufficient access control validation can create persistent security weaknesses in collaborative platforms. Organizations should immediately implement mitigations including robust input validation, proper authentication mechanisms, and rate limiting on file access endpoints to prevent automated enumeration attacks. Additionally, the vulnerability highlights the importance of secure session management and proper object reference handling in web applications, particularly those integrating with document collaboration tools like OnlyOffice.