Onlyoffice: >> Document Server >> 8.0.0 Security Vulnerabilities
Path Traversal vulnerability in ONLYOFFICE Document Server before v8.0.1 allows a remote attacker to copy arbitrary files by manipulating the fileExt parameter in the /example/editor endpoint, leading to unauthorized access to sensitive files and potential Denial of Service (DoS).
CVSS Score
6.7
EPSS Score
0.001
Published
2025-04-01
ONLYOFFICE Docs before 8.0.1 allows XSS because a macro is an immediately-invoked function expression (IIFE), and therefore a sandbox escape is possible by directly calling the constructor of the Function object. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446.
CVSS Score
6.1
EPSS Score
0.001
Published
2024-09-09