Security¶
This document outlines the security weaknesses found or published for Mayan EDMS along with the information about when and in what version these issues were fixed.
CVE-2022-47419¶
Description: The select2 template used to display tags in the attach and remove view did not performed complete tag label sanitation and allowed cross-site scripting (XSS) to occur.
This is a limited scope weakness and can only be used at best to perform phishing attacks. However this action requires for an attacker to have a user account and be a trusted user with the necessary permissions to create or edit tags.
Any usage of this weakness remains logged in the event system making it easy to track down any bad actors.
Visitors to a Mayan EDMS installation cannot exploit this weakness.
It is not possible to circumvent Mayan EDMS access control system or expose arbitrary information with this weakness.
Contrary to some incorrect reports, it is not possible to exploit this
weakness to steal the session cookie and impersonate users. Since version 1.4
(March 23, 2012) Django has included the httponly attribute for the
session cookie. This means that the session cookie data, including
sessionid, is no longer accessible from JavaScript.
https://docs.djangoproject.com/en/4.1/releases/1.4/
Mayan EDMS currently uses Django 3.2. Under this version of Django
The SESSION_COOKIE_HTTPONLY defaults to True, which enables the
httponly for the session cookie making it inaccessible to JavaScript
and therefore not available for impersonation via session hijacking.
https://docs.djangoproject.com/en/3.2/ref/settings/#session-cookie-httponly
Django’s SESSION_COOKIE_HTTPONLY setting is not currently exposed by
Mayan EDMS’ setting system, therefore it is not possible to disable this
protection by conventional means.
Due to all these factors, the surface of attack of this weakness is very limited, if any.
There are no known actual or theoretical attacks exploiting this weakness to expose or destroy data.
Impact: Low
Affected Version: 4.4.2 and earlier
Fixed Version: 4.4.3 (2023-02-11), 4.3.6 (2023-02-19), 4.2.14 (2023-03-09), 4.1.11 (2023-03-08)
CVE-2018-16407¶
Description: Missing sanitization of the tag label. The tag widget marked the rendered HTML as safe avoiding escaping which allows cross-site scripting (XSS) to occur.
This is a limited scope weakness and can only be used at best to perform phishing attacks. However this action requires for an attacker to have a user account and be a trusted user with the necessary permissions to create or edit tags.
Any usage of this weakness remains logged in the event system making it easy to track down any bad actors.
Visitors to a Mayan EDMS installation cannot exploit this weakness.
It is not possible to circumvent Mayan EDMS access control system or expose arbitrary information with this weakness.
Due to all these factors, the surface of attack of this weakness is very limited, if any.
There are no known actual or theoretical attacks exploiting this weakness to expose or destroy data.
Impact: Low
Affected Version: 3.0.1 and earlier.
Fixed Version: 3.0.2 (2018-08-17)
CVE-2018-16406¶
Description: Missing sanitization of the cabinet label. The cabinet widget marked the rendered HTML as safe avoiding escaping which allows cross-site scripting (XSS) to occur.
This is a limited scope weakness and can only be used at best to perform phishing attacks. However this action requires for an attacker to have a user account and be a trusted user with the necessary permissions to create or edit cabinets.
Any usage of this weakness remains logged in the event system making it easy to track down any bad actors.
Visitors to a Mayan EDMS installation cannot exploit this weakness.
It is not possible to circumvent Mayan EDMS access control system or expose arbitrary information with this weakness.
Due to all these factors, the surface of attack of this weakness is very limited, if any.
There are no known actual or theoretical attacks exploiting this weakness to expose or destroy data.
Impact: Low
Affected Version: 3.0.1 and earlier.
Fixed Version: 3.0.2 (2018-08-16)
CVE-2018-16405¶
Description: Missing sanitization of the window.location. The window.location is modified directly to match the view title without HTML escaping which allows cross-site scripting (XSS) to occur.
This is a limited scope weakness and can only be used at best to perform phishing attacks. However this action requires for an attacker to have a user account and be a trusted user with the necessary permissions to create or edit object whose content may be a part of the view title.
Any usage of this weakness remains logged in the event system making it easy to track down any bad actors.
Visitors to a Mayan EDMS installation cannot exploit this weakness.
It is not possible to circumvent Mayan EDMS access control system or expose arbitrary information with this weakness.
Due to all these factors, the surface of attack of this weakness is very limited, if any.
There are no known actual or theoretical attacks exploiting this weakness to expose or destroy data.
Impact: Low
Affected Version: 3.0.1 and earlier.
Fixed Version: 3.0.2 (2018-08-17)
CVE-2014-3840¶
Description: Missing sanitization of the view title. Authenticated users with object access can create or edit objects with a specially crafted label. Missing HTML escaping allows cross-site scripting (XSS) to occur.
This is a limited scope weakness and can only be used at best to perform phishing attacks. However this action requires for an attacker to have a user account and be a trusted user with the necessary permissions to create or edit object whose content may be a part of the view title.
Any usage of this weakness remains logged in the event system making it easy to track down any bad actors.
Visitors to a Mayan EDMS installation cannot exploit this weakness.
It is not possible to circumvent Mayan EDMS access control system or expose arbitrary information with this weakness.
Due to all these factors, the surface of attack of this weakness is very limited, if any.
There are no known actual or theoretical attacks exploiting this weakness to expose or destroy data.
Impact: Low
Affected Version: 0.12 and earlier.
Fixed Version: 0.13 (2012-12)