Page 3 of 26 results (0.005 seconds)

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1

ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Server-Side Request Forgery (SSRF). The document editor service can be abused to read and serve arbitrary URLs as a document. Todas las versiones de ONLYOFFICE con fecha posterior al 08/11/2021 se ven afectadas por una vulnerabilidad Server-Side Request Forgery (SSRF). Se puede abusar del servicio de edición de documentos para leer y servir URL arbitrarias como documento. • https://github.com/ONLYOFFICE/server https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution https://www.onlyoffice.com • CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1

ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. An authentication bypass in the document editor allows attackers to edit documents without authentication. • https://github.com/ONLYOFFICE/server https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution https://www.onlyoffice.com • CWE-306: Missing Authentication for Critical Function •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1

Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a heap overflow via the component DesktopEditor/fontengine/fontconverter/FontFileBase.h. Se ha detectado que Onlyoffice Document Server versiones v6.0.0 y anteriores y Core versiones 6.1.0.26 y anteriores, contienen un desbordamiento de pila por medio del componente DesktopEditor/fontengine/fontconverter/FontFileBase.h • https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#601 https://github.com/ONLYOFFICE/core/commit/b17d5e860f30e8be2caeb0022b63be4c76660178 https://github.com/moehw/poc_exploits/tree/master/CVE-2022-29777 • CWE-787: Out-of-bounds Write •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1

Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via the component DesktopEditor/common/File.cpp. Se ha detectado que Onlyoffice Document Server versiones v6.0.0 y anteriores y Core versiones 6.1.0.26 y anteriores, contenían un desbordamiento de pila por medio del componente DesktopEditor/common/File.cpp • https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#601 https://github.com/ONLYOFFICE/core/commit/88cf60a3ed4a2b40d71a1c2ced72fa3902a30967 https://github.com/moehw/poc_exploits/tree/master/CVE-2022-29776 • CWE-787: Out-of-bounds Write •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

A cross-site scripting (XSS) vulnerability in ONLYOFFICE Document Server Example before v7.0.0 allows remote attackers inject arbitrary HTML or JavaScript through /example/editor. Una vulnerabilidad de tipo cross-site scripting (XSS) en ONLYOFFICE Document Server Example versiones anteriores a v7.0.0, permite a atacantes remotos inyectar HTML o JavaScript arbitrario por medio de /example/editor • https://github.com/ONLYOFFICE/DocumentServer https://github.com/ONLYOFFICE/document-server-integration/issues/252 https://www.onlyoffice.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •