Onlyoffice: >> Document Server >> 7.4.1 Security Vulnerabilities
ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer.
CVSS Score
6.4
EPSS Score
0.0
Published
2025-12-25
ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer.
CVSS Score
6.4
EPSS Score
0.0
Published
2025-12-25
Path Traversal vulnerability in ONLYOFFICE Document Server before v8.0.1 allows a remote attacker to copy arbitrary files by manipulating the fileExt parameter in the /example/editor endpoint, leading to unauthorized access to sensitive files and potential Denial of Service (DoS).
CVSS Score
6.7
EPSS Score
0.003
Published
2025-04-01
ONLYOFFICE Docs before 8.0.1 allows XSS because a macro is an immediately-invoked function expression (IIFE), and therefore a sandbox escape is possible by directly calling the constructor of the Function object. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446.
CVSS Score
6.1
EPSS Score
0.002
Published
2024-09-09