CVE-2025-5301 (GCVE-0-2025-5301)

Vulnerability from cvelistv5 – Published: 2025-06-12 07:59 – Updated: 2025-06-18 04:08
VLAI?
Summary
ONLYOFFICE Docs (DocumentServer) in versions equal and below 8.3.1 are affected by a reflected cross-site scripting (XSS) issue when opening files via the WOPI protocol. Attackers could inject malicious scripts via crafted HTTP POST requests, which are then reflected in the server's HTML response.
Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
Vendor Product Version
OnlyOffice Docs (DocumentServer) Affected: <=8.3.1
Create a notification for this product.
Credits
Max Rull, SEC Consult Vulnerability Lab
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 6.1,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-5301",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-12T13:45:27.605229Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-12T13:48:22.288Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scripting-in-onlyoffice-docs-documentserver/"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-06-18T04:08:26.144Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://seclists.org/fulldisclosure/2025/Jun/18"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Docs (DocumentServer)",
          "vendor": "OnlyOffice",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c=8.3.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Max Rull, SEC Consult Vulnerability Lab"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eONLYOFFICE Docs (DocumentServer) in versions equal and below 8.3.1 are affected by a reflected cross-site scripting (XSS) issue when opening files via the WOPI protocol. Attackers could inject malicious scripts via crafted HTTP POST requests, which are then reflected in the server\u0027s HTML response.\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "ONLYOFFICE Docs (DocumentServer) in versions equal and below 8.3.1 are affected by a reflected cross-site scripting (XSS) issue when opening files via the WOPI protocol. Attackers could inject malicious scripts via crafted HTTP POST requests, which are then reflected in the server\u0027s HTML response."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-591",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-591 Reflected XSS"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-12T07:59:05.650Z",
        "orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
        "shortName": "SEC-VLab"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://r.sec-consult.com/onlyoffice"
        },
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#832"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe vendor provides a patched version v8.3.2 (or higher) which can be downloaded from:\u003c/p\u003e\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/ONLYOFFICE/DocumentServer/\"\u003ehttps://github.com/ONLYOFFICE/DocumentServer/\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e"
            }
          ],
          "value": "The vendor provides a patched version v8.3.2 (or higher) which can be downloaded from:\n\n https://github.com/ONLYOFFICE/DocumentServer/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Reflected Cross-Site Scripting in ONLYOFFICE Docs (DocumentServer)",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
    "assignerShortName": "SEC-VLab",
    "cveId": "CVE-2025-5301",
    "datePublished": "2025-06-12T07:59:05.650Z",
    "dateReserved": "2025-05-28T09:59:37.753Z",
    "dateUpdated": "2025-06-18T04:08:26.144Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-5301\",\"sourceIdentifier\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"published\":\"2025-06-12T08:15:23.603\",\"lastModified\":\"2025-06-18T05:15:50.287\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ONLYOFFICE Docs (DocumentServer) in versions equal and below 8.3.1 are affected by a reflected cross-site scripting (XSS) issue when opening files via the WOPI protocol. Attackers could inject malicious scripts via crafted HTTP POST requests, which are then reflected in the server\u0027s HTML response.\"},{\"lang\":\"es\",\"value\":\"ONLYOFFICE Docs (DocumentServer) en versiones iguales o inferiores a la 8.3.1 se ve afectado por un problema de cross-site scripting (XSS) al abrir archivos mediante el protocolo WOPI. Los atacantes podr\u00edan inyectar scripts maliciosos mediante solicitudes HTTP POST manipuladas, que posteriormente se reflejan en la respuesta HTML del servidor.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#832\",\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\"},{\"url\":\"https://r.sec-consult.com/onlyoffice\",\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\"},{\"url\":\"http://seclists.org/fulldisclosure/2025/Jun/18\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scripting-in-onlyoffice-docs-documentserver/\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://seclists.org/fulldisclosure/2025/Jun/18\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-06-18T04:08:26.144Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-5301\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-12T13:45:27.605229Z\"}}}], \"references\": [{\"url\": \"https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scripting-in-onlyoffice-docs-documentserver/\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-12T13:48:13.545Z\"}}], \"cna\": {\"title\": \"Reflected Cross-Site Scripting in ONLYOFFICE Docs (DocumentServer)\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Max Rull, SEC Consult Vulnerability Lab\"}], \"impacts\": [{\"capecId\": \"CAPEC-591\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-591 Reflected XSS\"}]}], \"affected\": [{\"vendor\": \"OnlyOffice\", \"product\": \"Docs (DocumentServer)\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c=8.3.1\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The vendor provides a patched version v8.3.2 (or higher) which can be downloaded from:\\n\\n https://github.com/ONLYOFFICE/DocumentServer/\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe vendor provides a patched version v8.3.2 (or higher) which can be downloaded from:\u003c/p\u003e\u003cp\u003e\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://github.com/ONLYOFFICE/DocumentServer/\\\"\u003ehttps://github.com/ONLYOFFICE/DocumentServer/\u003c/a\u003e\u0026nbsp;\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://r.sec-consult.com/onlyoffice\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#832\", \"tags\": [\"release-notes\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"ONLYOFFICE Docs (DocumentServer) in versions equal and below 8.3.1 are affected by a reflected cross-site scripting (XSS) issue when opening files via the WOPI protocol. Attackers could inject malicious scripts via crafted HTTP POST requests, which are then reflected in the server\u0027s HTML response.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eONLYOFFICE Docs (DocumentServer) in versions equal and below 8.3.1 are affected by a reflected cross-site scripting (XSS) issue when opening files via the WOPI protocol. Attackers could inject malicious scripts via crafted HTTP POST requests, which are then reflected in the server\u0027s HTML response.\u003c/p\u003e\u003cbr\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"shortName\": \"SEC-VLab\", \"dateUpdated\": \"2025-06-12T07:59:05.650Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-5301\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-18T04:08:26.144Z\", \"dateReserved\": \"2025-05-28T09:59:37.753Z\", \"assignerOrgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"datePublished\": \"2025-06-12T07:59:05.650Z\", \"assignerShortName\": \"SEC-VLab\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.