CVE-2022-40317 OpenKM 6.3.11 allows stored XSS related to the javascript: substring in an A element.

This can lead to remote code execution. This can be triggered via a maliciously crafted URL. OpenKM 6.3.11 does not sanitize the first name field when it is populated from an A element. This can lead to remote code execution. This is a critical issue as it can lead to the compromise of the application and data. The issue does not exist in the OpenKM 6.2 series.  Ref: https://jira.magingproject.com/browse/OPENKM-632 The issue was reported by Siddharth Mohan from India on 2018-11-01. The issue was confirmed by OpenKM engineers and a fix release was made. What’s new in version 6.3.11? XSS in A element fixed.

Impacted Products OpenKM is an open source enterprise data integration platform. It is used by large enterprises and government agencies to manage their data. What’s new in version 6.3.10? Security issue fixed. What’s new in version 6.3.9? Security issue fixed. What’s new in version 6.3.8? Security issue fixed. What’s new in version 6.3.7? Security issue fixed. What’s new in version 6.3.6? Security issue fixed. What’s new in version 6.3.5? OpenKM 6.3

What is new in OpenKM 6.3 .5

OpenKM 6.3.5 is a cumulative update release of OpenKM which includes bug fixes and improvements from recent releases. Check out the release notes for details on all the fixed issues: https://jira.magingproject.com/browse/OPENKM-634

New Features

- Support for Oracle Database XE 11g R2 and 12c.
- Support for Microsoft SQL Server 2016.
- Global configuration schema update and new features added, including: - Configuration Schema: Added support for Multi-instance deployments and updated the list of configurations to show all configurations in the System view. - Configuration Schema: Added an SCD file with a new configuration named "Prestart". - Configuration Schema: Improved the performance by using a new optimization algorithm on the configuration schema where possible.
- Configuration Schema: Added an option to disable automatic cleanup of orphaned records when the server is stopped or restarted.
- Web Viewer: Added support for Microsoft Azure Marketplace Connection.

Overview Of OpenKM 6.3 .11

OpenKM 6.3.11 is released on 2018-11-01 with the following changes:
1) XSS in A element fixed.
2) Security issue fixed.
3) Security issue fixed.

Overview of OpenKM 6.3

The OpenKM 6.3 release contains various updates and improvements. The following list outlines some of the new features:

- New feature: Integration with GitLab
- New feature: Data Validation for BigQuery
- Bug fix for the data in BigQuery not loading when a project is deleted
- Fixed issue where filter takes twice as long to finish after changing the SQL query from SELECT * to SELECT VALUE
- Updated .gitignore so that OpenKM doesn't create a .openkm file by default
- Improvements in the error handling during installation and upgrade
- Improvements in the error handling during data import
- Improved handling of temporary files during install and upgrade

Timeline

Published on: 09/09/2022 17:15:00 UTC
Last modified on: 09/14/2022 19:14:00 UTC

References

• https://github.com/openkm/document-management-system/pull/336
• https://github.com/izdiwho/CVE-2022-40317
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40317