Volerion logoVolerion
Volerion logoVolerion

ONLYOFFICE Docs Reflected Cross-Site Scripting Vulnerability

Vulnerability

A reflected cross-site scripting vulnerability has been identified in ONLYOFFICE Docs (DocumentServer) versions through 8.3.1. This issue arises when files are opened via the WOPI protocol, allowing attackers to inject malicious scripts through crafted HTTP POST requests. The injected scripts are then reflected in the server's HTML response.

Impact

Exploitation of this vulnerability allows for the execution of injected scripts in the context of the user's browser, potentially leading to session hijacking, phishing attacks, or manipulation of the user interface.

Reproduction

To reproduce this vulnerability, send a POST request to the '/hosting/wopi/word/edit' endpoint with a crafted query parameter that includes a script injection payload. The server will reflect the injected script in the response, which will be executed in the browser.

Remediation

Users are advised to upgrade to ONLYOFFICE Docs version 8.3.2 or higher.

Added: Jun 12, 2025, 8:17 AM
Updated: Jun 12, 2025, 8:17 AM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
1.7
exploitability
7.9
remediation
7.7
relevance
0.2
threat
6.5
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.