CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-50883
https://notcve.org/view.php?id=CVE-2023-50883
09 Sep 2024 — ONLYOFFICE Docs before 8.0.1 allows XSS because a macro is an immediately-invoked function expression (IIFE), and therefore a sandbox escape is possible by directly calling the constructor of the Function object. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446. • https://www.onlyoffice.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-30186
https://notcve.org/view.php?id=CVE-2023-30186
14 Aug 2023 — A use after free issue discovered in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file. • http://onlyoffice.com • CWE-416: Use After Free •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-30187
https://notcve.org/view.php?id=CVE-2023-30187
14 Aug 2023 — An out of bounds memory access vulnerability in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file. • http://onlyoffice.com • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 2%CPEs: 1EXPL: 1CVE-2023-30188
https://notcve.org/view.php?id=CVE-2023-30188
14 Aug 2023 — Memory Exhaustion vulnerability in ONLYOFFICE Document Server 4.0.3 through 7.3.2 allows remote attackers to cause a denial of service via crafted JavaScript file. • http://onlyoffice.com • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-48422
https://notcve.org/view.php?id=CVE-2022-48422
19 Mar 2023 — ONLYOFFICE Docs through 7.3 on certain Linux distributions allows local users to gain privileges via a Trojan horse libgcc_s.so.1 in the current working directory, which may be any directory in which an ONLYOFFICE document is located. • https://forum.onlyoffice.com/t/security-hole-library-from-cwd/3302 • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 0CVE-2021-43444
https://notcve.org/view.php?id=CVE-2021-43444
23 Jan 2023 — ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. Signed document download URLs can be forged due to a weak default URL signing key. Todas las versiones de ONLYOFFICE a partir del 08/11/2021 se ven afectadas por un control de acceso incorrecto. Las URL de descarga de documentos firmados se pueden falsificar debido a una clave de firma de URL predeterminada débil. • https://github.com/ONLYOFFICE/server • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2021-43445
https://notcve.org/view.php?id=CVE-2021-43445
23 Jan 2023 — ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. An attacker can authenticate with the web socket service of the ONLYOFFICE document editor which is protected by JWT auth by using a default JWT signing key. Todas las versiones de ONLYOFFICE con fecha posterior al 08/11/2021 se ven afectadas por un control de acceso incorrecto. Un atacante puede autenticarse con el servicio de socket web del editor de documentos ONLYOFFICE que está protegido por la autenticación JWT mediante ... • https://github.com/ONLYOFFICE/server • CWE-287: Improper Authentication •
CVSS: 6.4EPSS: 4%CPEs: 1EXPL: 1CVE-2021-43446
https://notcve.org/view.php?id=CVE-2021-43446
23 Jan 2023 — ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Cross Site Scripting (XSS). The "macros" feature of the document editor allows malicious cross site scripting payloads to be used. Todas las versiones de ONLYOFFICE con fecha posterior al 08/11/2021 son vulnerables a Cross Site Scripting (XSS). La función "macros" del editor de documentos permite realizar cross site scripting. • https://github.com/ONLYOFFICE/server • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-43447
https://notcve.org/view.php?id=CVE-2021-43447
23 Jan 2023 — ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. An authentication bypass in the document editor allows attackers to edit documents without authentication. • https://github.com/ONLYOFFICE/server • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-43448
https://notcve.org/view.php?id=CVE-2021-43448
23 Jan 2023 — ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Improper Input Validation. A lack of input validation can allow an attacker to spoof the names of users who interact with a document, if the document id is known. Todas las versiones de ONLYOFFICE con fecha posterior al 08/11/2021 son vulnerables a una validación de entrada incorrecta. La falta de validación de entrada puede permitir que un atacante falsifique los nombres de los usuarios que interactúan con un documento, si se conoce la identificació... • https://github.com/ONLYOFFICE/server • CWE-20: Improper Input Validation •