Security
This document outlines the security weaknesses found or published for Mayan EDMS along with the information about when and in what version these issues were fixed.
CVE-2022-47419
Description: The select2 template used to display tags in the attach and remove view did not performed complete tag label sanitation and allowed cross-site scripting (XSS) to occur.
This is a limited scope weakness and can only be used at best to perform phishing attacks. However this action requires for an attacker to have a user account and be a trusted user with the necessary permissions to create or edit tags.
Any usage of this weakness remains logged in the event system making it easy to track down any bad actors.
Visitors to a Mayan EDMS installation cannot exploit this weakness.
It is not possible to circumvent Mayan EDMS access control system or expose arbitrary information with this weakness.
Contrary to some incorrect reports, it is not possible to exploit this
weakness to steal the session cookie and impersonate users. Since version 1.4
(March 23, 2012) Django has included the httponly attribute for the
session cookie. This means that the session cookie data, including
sessionid, is no longer accessible from JavaScript.
https://docs.djangoproject.com/en/4.1/releases/1.4/
Mayan EDMS currently uses Django 3.2. Under this version of Django
The SESSION_COOKIE_HTTPONLY defaults to True, which enables the
httponly for the session cookie making it inaccessible to JavaScript
and therefore not available for impersonation via session hijacking.
https://docs.djangoproject.com/en/3.2/ref/settings/#session-cookie-httponly
Django’s SESSION_COOKIE_HTTPONLY setting is not currently exposed by
Mayan EDMS’ setting system, therefore it is not possible to disable this
protection by conventional means.
Due to all these factors, the surface of attack of this weakness is very limited, if any.
There are no known actual or theoretical attacks exploiting this weakness to expose or destroy data.
Impact: Low
Affected Version: 4.4.2 and earlier
Fixed Version: 4.4.3 (2023-02-11), 4.3.6 (2023-02-19), 4.2.14 (2023-03-09), 4.1.11 (2023-03-08)
CVE-2018-16407
Description: Missing sanitization of the tag label. The tag widget marked the rendered HTML as safe avoiding escaping which allows cross-site scripting (XSS) to occur.
This is a limited scope weakness and can only be used at best to perform phishing attacks. However this action requires for an attacker to have a user account and be a trusted user with the necessary permissions to create or edit tags.
Any usage of this weakness remains logged in the event system making it easy to track down any bad actors.
Visitors to a Mayan EDMS installation cannot exploit this weakness.
It is not possible to circumvent Mayan EDMS access control system or expose arbitrary information with this weakness.
Due to all these factors, the surface of attack of this weakness is very limited, if any.
There are no known actual or theoretical attacks exploiting this weakness to expose or destroy data.
Impact: Low
Affected Version: 3.0.1 and earlier.
Fixed Version: 3.0.2 (2018-08-17)
CVE-2018-16406
Description: Missing sanitization of the cabinet label. The cabinet widget marked the rendered HTML as safe avoiding escaping which allows cross-site scripting (XSS) to occur.
This is a limited scope weakness and can only be used at best to perform phishing attacks. However this action requires for an attacker to have a user account and be a trusted user with the necessary permissions to create or edit cabinets.
Any usage of this weakness remains logged in the event system making it easy to track down any bad actors.
Visitors to a Mayan EDMS installation cannot exploit this weakness.
It is not possible to circumvent Mayan EDMS access control system or expose arbitrary information with this weakness.
Due to all these factors, the surface of attack of this weakness is very limited, if any.
There are no known actual or theoretical attacks exploiting this weakness to expose or destroy data.
Impact: Low
Affected Version: 3.0.1 and earlier.
Fixed Version: 3.0.2 (2018-08-16)
CVE-2018-16405
Description: Missing sanitization of the window.location. The window.location is modified directly to match the view title without HTML escaping which allows cross-site scripting (XSS) to occur.
This is a limited scope weakness and can only be used at best to perform phishing attacks. However this action requires for an attacker to have a user account and be a trusted user with the necessary permissions to create or edit object whose content may be a part of the view title.
Any usage of this weakness remains logged in the event system making it easy to track down any bad actors.
Visitors to a Mayan EDMS installation cannot exploit this weakness.
It is not possible to circumvent Mayan EDMS access control system or expose arbitrary information with this weakness.
Due to all these factors, the surface of attack of this weakness is very limited, if any.
There are no known actual or theoretical attacks exploiting this weakness to expose or destroy data.
Impact: Low
Affected Version: 3.0.1 and earlier.
Fixed Version: 3.0.2 (2018-08-17)
CVE-2014-3840
Description: Missing sanitization of the view title. Authenticated users with object access can create or edit objects with a specially crafted label. Missing HTML escaping allows cross-site scripting (XSS) to occur.
This is a limited scope weakness and can only be used at best to perform phishing attacks. However this action requires for an attacker to have a user account and be a trusted user with the necessary permissions to create or edit object whose content may be a part of the view title.
Any usage of this weakness remains logged in the event system making it easy to track down any bad actors.
Visitors to a Mayan EDMS installation cannot exploit this weakness.
It is not possible to circumvent Mayan EDMS access control system or expose arbitrary information with this weakness.
Due to all these factors, the surface of attack of this weakness is very limited, if any.
There are no known actual or theoretical attacks exploiting this weakness to expose or destroy data.
Impact: Low
Affected Version: 0.12 and earlier.
Fixed Version: 0.13 (2012-12)
Security FAQ
I found a security issue
Open an issue at https://gitlab.com/mayan-edms/mayan-edms/issues/ and mark it as Confidential. Allow us at least 48 hours to find and release a fix for the issue before submitting it to the CVE database.
I want to contact the team directly to report a security issue
The contact method is via email info@mayan-edms.com. Send the complete procedure to recreate the security issue.
Are security bounties available?
As a free and open source project, bounties or prices for security issues are not available.
Blackmail, extortion, or paid registrations as requirement for security issue disclosure will be reported to the pertinent managing or legal authorities.