Full Report
CERT Polska has received a report about 5 vulnerabilities (from CVE-2026-41876 to CVE-2026-41880) found in R-SOFT DMS software.
Analysis Summary
# Vulnerability: Multiple Flaws in R-SOFT DMS Software
## CVE Details
- **CVE ID:** CVE-2026-41876, CVE-2026-41877, CVE-2026-41878, CVE-2026-41879, CVE-2026-41880
- **CVSS Score:** Not explicitly provided in the source (Severity levels range from Medium to Critical based on descriptions)
- **CWE:**
- CWE-78 (OS Command Injection)
- CWE-79 (Stored Cross-site Scripting)
- CWE-639 (IDOR/Authorization Bypass)
- CWE-328 (Use of Weak Hash)
## Affected Systems
- **Products:** R-SOFT SERWIS DMS (Document Management System)
- **Versions:**
- All versions prior to **v3.19-2862**
- All versions prior to **v3.17-2580**
- **Configurations:** Authenticated access is generally required for the most severe flaws (Command Injection and IDOR).
## Vulnerability Description
R-SOFT DMS suffers from five distinct security flaws:
1. **CVE-2026-41876 (OS Command Injection):** The `konwertujAction()` function fails to sanitize file paths and format parameters, allowing arbitrary shell command execution via the document converter.
2. **CVE-2026-41877 (Stored XSS):** File upload functionality allows injecting malicious HTML/JS into filenames, which executes when other users view file lists.
3. **CVE-2026-41878 (Insecure Direct Object Reference):** File download endpoints permit any logged-in user to access any file by ID without checking ownership permissions.
4. **CVE-2026-41879 (Weak Hashing):** Superadmin credentials utilize non-salted nested MD5 hashes, making them susceptible to offline cracking.
5. **CVE-2026-41880 (OS Command Injection):** The OCR module fails to sanitize file paths passed to the system shell via SSH. If triggered, this allows command execution as the **root** user.
## Exploitation
- **Status:** Vulnerabilities reported via coordinated disclosure (PoC status not explicitly confirmed, but technical details suggest high exploitability).
- **Complexity:** Low to Medium
- **Attack Vector:** Network (Authenticated)
## Impact
- **Confidentiality:** **High** (IDOR allows access to all documents; weak hashes expose superadmin credentials).
- **Integrity:** **High** (Command injection allows system modification; XSS allows session hijacking).
- **Availability:** **High** (OS command injection allows for full system takeover or disruption).
## Remediation
### Patches
Users should update to the following versions or newer:
- **v3.19-2862** (Addresses all reported CVEs)
- **v3.17-2580** (Addresses all reported CVEs for the 3.17 branch)
### Workarounds
- Limit network access to the DMS interface to trusted personnel.
- Restrict file upload permissions where possible until patches are applied.
- For CVE-2026-41879: Manually update the configuration file to change the superadmin password if on an unsupported version.
## Detection
- Monitor web server logs for suspicious shell metacharacters (`;`, `&`, `|`, `` ` ``) in parameters associated with `konwertujAction()` or OCR functions.
- Audit file download logs for a single user ID requesting a wide range of sequential file IDs (potential IDOR scanning).
- Use web application firewalls (WAF) to detect `<script>` tags or unusual HTML in file upload metadata.
## References
- **Vendor Advisory:** hxxps://cert[.]pl/en/posts/2026/07/vulnerabilities-in-r-soft-dms-software/
- **CVE Records:**
- hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-41876
- hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-41877
- hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-41878
- hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-41879
- hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-41880