CVE-2023-50072

Name of the Vulnerable Software and Affected Versions OpenKM version 7.1.40

Description A Stored Cross-Site Scripting (XSS) issue exists that allows an authenticated user to upload a note on a file, which acts as a stored XSS payload. Any user who opens the note of a document file will trigger the XSS. The vulnerability is related to the lack of protection of the web page structure when processing the text parameter, which can allow a remote attacker to conduct cross-site scripting attacks by uploading specially crafted malicious files.

Recommendations For OpenKM version 7.1.40, consider disabling the note upload feature until a patch is available to prevent exploitation of the stored XSS vulnerability. Restrict access to the note feature in the document file to minimize the risk of triggering the XSS payload. At the moment, there is no information about a newer version that contains a fix for this vulnerability.