CVE-2022-47412 in Workspace DMS
Summary
by MITRE • 02/07/2023
Given a malicious document provided by an attacker, the ONLYOFFICE Workspace DMS is vulnerable to a stored (persistent, or "Type II") cross-site scripting (XSS) condition.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/16/2023
The vulnerability identified as CVE-2022-47412 represents a critical security flaw in the ONLYOFFICE Workspace DMS platform that exposes users to persistent cross-site scripting attacks. This vulnerability specifically affects the document management system's handling of user-provided content, creating a condition where malicious actors can inject harmful scripts into the application's environment. The flaw manifests as a stored XSS vulnerability, meaning that once malicious content is submitted and stored within the system, it will persist and execute automatically whenever authorized users access the affected documents or pages.
The technical implementation of this vulnerability stems from insufficient input validation and output encoding within the ONLYOFFICE Workspace DMS application. When users upload or create documents containing malicious script payloads, the system fails to properly sanitize or escape these inputs before storing them in its database or rendering them in subsequent user sessions. This allows attackers to craft documents that contain JavaScript code or other malicious payloads that execute in the context of authenticated users' browsers. The persistence aspect of this vulnerability means that the malicious scripts remain active even after the initial document creation, making it particularly dangerous as victims may unknowingly trigger the execution of harmful code during routine document access operations.
From an operational impact perspective, this vulnerability creates significant risks for organizations relying on ONLYOFFICE Workspace DMS for document collaboration and management. An attacker who successfully exploits this vulnerability can potentially steal session cookies, redirect users to malicious websites, inject phishing content, or execute arbitrary commands within the victim's browser context. The attack vector typically involves tricking users into opening a specially crafted document that contains embedded malicious scripts. This type of attack can lead to unauthorized access to sensitive documents, data exfiltration, and potential lateral movement within the network. The vulnerability affects all users who have access to the document management system and can result in compromised user sessions and potential privilege escalation if the affected users have administrative capabilities.
The security implications of this vulnerability align with CWE-79, which specifically addresses cross-site scripting flaws in web applications. This classification indicates that the vulnerability represents a fundamental weakness in input validation and output encoding mechanisms. Additionally, the persistence of this vulnerability places it within the ATT&CK framework's technique T1566 for initial access through malicious documents and T1059 for command and scripting interpreter execution. Organizations should implement immediate mitigations including input validation of all user-provided content, implementation of proper output encoding mechanisms, and regular security updates from the vendor. The recommended approach includes deploying web application firewalls to detect and block malicious payloads, implementing content security policies to restrict script execution, and conducting thorough security testing of document upload mechanisms. Organizations should also consider implementing user education programs to raise awareness about the risks of opening untrusted documents and establish incident response procedures to quickly address potential exploitation attempts.