Security

This document outlines the security weaknesses found or published for Mayan EDMS along with the information about when and in what version these issues were fixed.

CVE-2022-47419

Description: The select2 template used to display tags in the attach and remove view did not performed complete tag label sanitation and allowed cross-site scripting (XSS) to occur.

This is a limited scope weakness and can only be used at best to perform phishing attacks. However this action requires for an attacker to have a user account and be a trusted user with the necessary permissions to create or edit tags.

Any usage of this weakness remains logged in the event system making it easy to track down any bad actors.

Visitors to a Mayan EDMS installation cannot exploit this weakness.

It is not possible to circumvent Mayan EDMS access control system or expose arbitrary information with this weakness.

Contrary to some incorrect reports, it is not possible to exploit this weakness to steal the session cookie and impersonate users. Since version 1.4 (March 23, 2012) Django has included the httponly attribute for the session cookie. This means that the session cookie data, including sessionid, is no longer accessible from JavaScript. https://docs.djangoproject.com/en/4.1/releases/1.4/

Mayan EDMS currently uses Django 3.2. Under this version of Django The SESSION_COOKIE_HTTPONLY defaults to True, which enables the httponly for the session cookie making it inaccessible to JavaScript and therefore not available for impersonation via session hijacking. https://docs.djangoproject.com/en/3.2/ref/settings/#session-cookie-httponly

Django’s SESSION_COOKIE_HTTPONLY setting is not currently exposed by Mayan EDMS’ setting system, therefore it is not possible to disable this protection by conventional means.

Due to all these factors, the surface of attack of this weakness is very limited, if any.

There are no known actual or theoretical attacks exploiting this weakness to expose or destroy data.

Impact: Low

Affected Version: 4.4.2 and earlier

Fixed Version: 4.4.3 (2023-02-11), 4.3.6 (2023-02-19), 4.2.14 (2023-03-09), 4.1.11 (2023-03-08)

CVE-2018-16407

Description: Missing sanitization of the tag label. The tag widget marked the rendered HTML as safe avoiding escaping which allows cross-site scripting (XSS) to occur.

This is a limited scope weakness and can only be used at best to perform phishing attacks. However this action requires for an attacker to have a user account and be a trusted user with the necessary permissions to create or edit tags.

Any usage of this weakness remains logged in the event system making it easy to track down any bad actors.

Visitors to a Mayan EDMS installation cannot exploit this weakness.

It is not possible to circumvent Mayan EDMS access control system or expose arbitrary information with this weakness.

Due to all these factors, the surface of attack of this weakness is very limited, if any.

There are no known actual or theoretical attacks exploiting this weakness to expose or destroy data.

Impact: Low

Affected Version: 3.0.1 and earlier.

Fixed Version: 3.0.2 (2018-08-17)

CVE-2018-16406

Description: Missing sanitization of the cabinet label. The cabinet widget marked the rendered HTML as safe avoiding escaping which allows cross-site scripting (XSS) to occur.

This is a limited scope weakness and can only be used at best to perform phishing attacks. However this action requires for an attacker to have a user account and be a trusted user with the necessary permissions to create or edit cabinets.

Any usage of this weakness remains logged in the event system making it easy to track down any bad actors.

Visitors to a Mayan EDMS installation cannot exploit this weakness.

It is not possible to circumvent Mayan EDMS access control system or expose arbitrary information with this weakness.

Due to all these factors, the surface of attack of this weakness is very limited, if any.

There are no known actual or theoretical attacks exploiting this weakness to expose or destroy data.

Impact: Low

Affected Version: 3.0.1 and earlier.

Fixed Version: 3.0.2 (2018-08-16)

CVE-2018-16405

Description: Missing sanitization of the window.location. The window.location is modified directly to match the view title without HTML escaping which allows cross-site scripting (XSS) to occur.

This is a limited scope weakness and can only be used at best to perform phishing attacks. However this action requires for an attacker to have a user account and be a trusted user with the necessary permissions to create or edit object whose content may be a part of the view title.

Any usage of this weakness remains logged in the event system making it easy to track down any bad actors.

Visitors to a Mayan EDMS installation cannot exploit this weakness.

It is not possible to circumvent Mayan EDMS access control system or expose arbitrary information with this weakness.

Due to all these factors, the surface of attack of this weakness is very limited, if any.

There are no known actual or theoretical attacks exploiting this weakness to expose or destroy data.

Impact: Low

Affected Version: 3.0.1 and earlier.

Fixed Version: 3.0.2 (2018-08-17)

CVE-2014-3840

Description: Missing sanitization of the view title. Authenticated users with object access can create or edit objects with a specially crafted label. Missing HTML escaping allows cross-site scripting (XSS) to occur.

This is a limited scope weakness and can only be used at best to perform phishing attacks. However this action requires for an attacker to have a user account and be a trusted user with the necessary permissions to create or edit object whose content may be a part of the view title.

Any usage of this weakness remains logged in the event system making it easy to track down any bad actors.

Visitors to a Mayan EDMS installation cannot exploit this weakness.

It is not possible to circumvent Mayan EDMS access control system or expose arbitrary information with this weakness.

Due to all these factors, the surface of attack of this weakness is very limited, if any.

There are no known actual or theoretical attacks exploiting this weakness to expose or destroy data.

Impact: Low

Affected Version: 0.12 and earlier.

Fixed Version: 0.13 (2012-12)

Security FAQ

I found a security issue

Open an issue at https://gitlab.com/mayan-edms/mayan-edms/issues/ and mark it as Confidential. Allow us at least 48 hours to find and release a fix for the issue before submitting it to the CVE database.

I want to contact the team directly to report a security issue

The contact method is via email info@mayan-edms.com. Send the complete procedure to recreate the security issue.

Are security bounties available?

As a free and open source project, bounties or prices for security issues are not available.

Blackmail, extortion, or paid registrations as requirement for security issue disclosure will be reported to the pertinent managing or legal authorities.