Vulnerability Details CVE-2021-43446
ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Cross Site Scripting (XSS). The "macros" feature of the document editor allows malicious cross site scripting payloads to be used.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.044
EPSS Ranking 88.3%
CVSS Severity
CVSS v3 Score 6.1
References
- https://github.com/ONLYOFFICE/server
- https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution/
- https://onlyoffice.com/
- https://github.com/ONLYOFFICE/server
- https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution/
- https://onlyoffice.com/
Products affected by CVE-2021-43446
-
cpe:2.3:a:onlyoffice:server:7.0.0.49