Lucene search

[email protected]NVD:CVE-2021-43448

HistoryJan 23, 2023 - 3:15 p.m.

CVE-2021-43448

2023-01-2315:15:13

CWE-20

[email protected]

web.nvd.nist.gov

onlyoffice

2021

vulnerable

input validation

document id

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

35.7%

JSON

ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Improper Input Validation. A lack of input validation can allow an attacker to spoof the names of users who interact with a document, if the document id is known.

Affected configurations

Nvd

Node

onlyofficeserverRange≤7.0.0.49

References

github.com/ONLYOFFICE/server

labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution/

www.onlyoffice.com/

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

AI Score

5.2

Confidence

High

EPSS

0.001

Percentile

35.7%

JSON

Related for NVD:CVE-2021-43448

osv1 cve1 prion1 cvelist1