Ascensio System SIA OnlyOffice Cross-Site Scripting Vulnerability in Comment Handler Component

A cross-site scripting (XSS) vulnerability has been identified in Ascensio System SIA OnlyOffice versions through 12.7.0. The issue resides in the Comment Handler component, specifically within an unknown function of the file '/Products/Projects/Messages.aspx'. This vulnerability allows remote attackers to inject malicious scripts that are executed in the context of the user's browser. The XSS exploit takes advantage of the application's support for HTML input, which includes the ability to embed iframes that can execute JavaScript from external sources.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, create an HTML file named 'index.html' containing a JavaScript payload, such as an image tag with an 'onerror' event. Serve this file using a Python HTTP server. Then, in OnlyOffice, create a comment on a project and edit the comment's source code to include an iframe pointing to the served 'index.html' file. After saving the comment, the injected script will execute when the page is loaded.