CVE-2022-47419: 
Python vulnerability analysis and mitigation

An XSS vulnerability (CVE-2022-47419) was discovered in the Mayan EDMS Document Management System version 4.3.3, specifically affecting the in-product tagging system. The vulnerability was identified by Rapid7 researcher Matthew Kienow and was disclosed on February 7, 2023. The issue has been patched in version 4.3.6, released on February 19, 2023 (Rapid7 Blog, Mayan EDMS).

The vulnerability is classified as a stored XSS (Cross-Site Scripting) issue, identified as CWE-79 (Improper Neutralization of Input During Web Page Generation). It has a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The exploitation involves creating a malicious tag through the product's tagging system, which executes when users interact with the tag dropdown menu (NVD).

While initially reported as high severity, Mayan EDMS clarified that this is a limited scope weakness of the tagging system markup that can only display arbitrary text when selecting a tag for attachment to or removal from a document. The vulnerability requires a privileged account and cannot be exploited by guest or anonymous accounts. Additionally, since version 1.4 of Django (March 23, 2012), the httponly attribute for session cookies prevents JavaScript access to session data, limiting the potential for session hijacking (Mayan EDMS).

The vulnerability has been patched in Mayan EDMS version 4.3.6. Prior to patching, administrators should limit the creation of untrusted users since the tagging system is accessible by default. Only known, trusted users should be permitted to use the tagging features. The vendor has implemented tag label sanitization when generating the Select2 user interface widget template to prevent XSS attacks (Mayan EDMS).