Shodan
Vulnerabilities
Vulnerable Software
Onlyoffice:  Security Vulnerabilities
CVE-2022-47412
Given a malicious document provided by an attacker, the ONLYOFFICE Workspace DMS is vulnerable to a stored (persistent, or "Type II") cross-site scripting (XSS) condition.
CVSS Score
5.4
EPSS Score
0.005
Published
2023-02-07
CVE-2021-43444
ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. Signed document download URLs can be forged due to a weak default URL signing key.
CVSS Score
7.5
EPSS Score
0.015
Published
2023-01-23
CVE-2021-43445
ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. An attacker can authenticate with the web socket service of the ONLYOFFICE document editor which is protected by JWT auth by using a default JWT signing key.
CVSS Score
9.8
EPSS Score
0.019
Published
2023-01-23
CVE-2021-43446
ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Cross Site Scripting (XSS). The "macros" feature of the document editor allows malicious cross site scripting payloads to be used.
CVSS Score
6.1
EPSS Score
0.064
Published
2023-01-23
CVE-2021-43447
ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. An authentication bypass in the document editor allows attackers to edit documents without authentication.
CVSS Score
7.5
EPSS Score
0.002
Published
2023-01-23
CVE-2021-43448
ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Improper Input Validation. A lack of input validation can allow an attacker to spoof the names of users who interact with a document, if the document id is known.
CVSS Score
5.3
EPSS Score
0.004
Published
2023-01-23
CVE-2021-43449
ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Server-Side Request Forgery (SSRF). The document editor service can be abused to read and serve arbitrary URLs as a document.
CVSS Score
8.1
EPSS Score
0.008
Published
2023-01-23
CVE-2022-29776
Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via the component DesktopEditor/common/File.cpp.
CVSS Score
9.8
EPSS Score
0.162
Published
2022-06-02
CVE-2022-29777
Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a heap overflow via the component DesktopEditor/fontengine/fontconverter/FontFileBase.h.
CVSS Score
9.8
EPSS Score
0.162
Published
2022-06-02
CVE-2022-24229
A cross-site scripting (XSS) vulnerability in ONLYOFFICE Document Server Example before v7.0.0 allows remote attackers inject arbitrary HTML or JavaScript through /example/editor.
CVSS Score
6.1
EPSS Score
0.004
Published
2022-04-08


Products
Pricing
Contact Us

Shodan ® - All rights reserved