5 matches found
CVE-2022-24229
The CVE-2022-24229 entry describes an XSS vulnerability in ONLYOFFICE Document Server Example prior to version 7.0.0. The affected component/path is the example editor endpoint (/example/editor), allowing remote attackers to inject arbitrary HTML or JavaScript. The issue is tied to an external we...
CVE-2021-3199
CVE-2021-3199 is a path traversal/remote code execution vulnerability in ONLYOFFICE Document Server (pre-5.6.3). The issue arises in /upload when JWT is used, by exploiting a /.. sequence in an image upload parameter, enabling directory traversal and arbitrary code execution per the public CVE de...
CVE-2023-50883
ONLYOFFICE Docs prior to version 8.0.1 are affected. The issue stems from a macro implemented as an immediately-invoked function expression (IIFE) that enables sandbox escape by calling the Function constructor, leading to XSS. Impact per sources is XSS; affected component is the macro handling i...
CVE-2025-68935
ONLYOFFICE Docs prior to version 9.2.1 is affected by a cross-site scripting (XSS) vulnerability in the Multilevel list settings window’s Font field, related to DocumentServer. The issue is confirmed across multiple sources (including Red Hat, EUVD, NVD, OSV, CVE lists) and lists the vulnerable c...
CVE-2025-68936
Summary: CVE-2025-68936 affects ONLYOFFICE Docs prior to 9.2.1 (DocumentServer relation) and is referenced across multiple feeds as a cross-site scripting (XSS) vulnerability. Affected software: ONLYOFFICE Docs (DocumentServer component referenced in the CVE). Vulnerability details: XSS via the C...