Vulnerabilities > Onlyoffice

DATE CVE VULNERABILITY TITLE RISK
2024-09-09 CVE-2023-50883 Cross-site Scripting vulnerability in Onlyoffice Document Server
ONLYOFFICE Docs before 8.0.1 allows XSS because a macro is an immediately-invoked function expression (IIFE), and therefore a sandbox escape is possible by directly calling the constructor of the Function object.
network
low complexity
onlyoffice CWE-79
6.1
2023-08-14 CVE-2023-30186 Use After Free vulnerability in Onlyoffice Document Server
A use after free issue discovered in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file.
network
low complexity
onlyoffice CWE-416
critical
9.8
2023-08-14 CVE-2023-30187 Out-of-bounds Write vulnerability in Onlyoffice Document Server
An out of bounds memory access vulnerability in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file.
network
low complexity
onlyoffice CWE-787
critical
9.8
2023-08-14 CVE-2023-30188 Infinite Loop vulnerability in Onlyoffice Document Server
Memory Exhaustion vulnerability in ONLYOFFICE Document Server 4.0.3 through 7.3.2 allows remote attackers to cause a denial of service via crafted JavaScript file.
network
low complexity
onlyoffice CWE-835
7.5
2023-06-22 CVE-2023-34939 Path Traversal vulnerability in Onlyoffice
Onlyoffice Community Server before v12.5.2 was discovered to contain a remote code execution (RCE) vulnerability via the component UploadProgress.ashx.
network
low complexity
onlyoffice CWE-22
critical
9.8
2023-03-19 CVE-2022-48422 Uncontrolled Search Path Element vulnerability in Onlyoffice Document Server
ONLYOFFICE Docs through 7.3 on certain Linux distributions allows local users to gain privileges via a Trojan horse libgcc_s.so.1 in the current working directory, which may be any directory in which an ONLYOFFICE document is located.
local
low complexity
onlyoffice CWE-427
7.8
2023-02-07 CVE-2022-47412 Cross-site Scripting vulnerability in Onlyoffice Workspace
Given a malicious document provided by an attacker, the ONLYOFFICE Workspace DMS is vulnerable to a stored (persistent, or "Type II") cross-site scripting (XSS) condition.
network
low complexity
onlyoffice CWE-79
5.4
2023-01-23 CVE-2021-43444 Improper Authentication vulnerability in Onlyoffice Server 7.0.0.49
ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control.
network
low complexity
onlyoffice CWE-287
7.5
2023-01-23 CVE-2021-43445 Improper Authentication vulnerability in Onlyoffice Server 7.0.0.49
ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control.
network
low complexity
onlyoffice CWE-287
critical
9.8
2023-01-23 CVE-2021-43446 Cross-site Scripting vulnerability in Onlyoffice Server 7.0.0.49
ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Cross Site Scripting (XSS).
network
low complexity
onlyoffice CWE-79
6.1