CVE-2023-50883

ONLYOFFICE Docs before 8.0.1 allows XSS because a macro is an immediately-invoked function expression (IIFE), and therefore a sandbox escape is possible by directly calling the constructor of the Function object. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.onlyoffice.com/	Product
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-027.txt	Exploit Third Party Advisory
https://www.syss.de/pentest-blog/cross-site-scripting-schwachstelle-in-onlyoffice-docs-syss-2023-027	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:onlyoffice:document_server:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-09-09 20:15

Updated : 2024-09-20 15:18

NVD link : CVE-2023-50883

Mitre link : CVE-2023-50883

CVE.ORG link : CVE-2023-50883

JSON object : View

Products Affected

onlyoffice

document_server

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-50883", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2024-09-09T20:15:03.640", "references": [{"url": "https://www.onlyoffice.com/", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-027.txt", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.syss.de/pentest-blog/cross-site-scripting-schwachstelle-in-onlyoffice-docs-syss-2023-027", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "ONLYOFFICE Docs before 8.0.1 allows XSS because a macro is an immediately-invoked function expression (IIFE), and therefore a sandbox escape is possible by directly calling the constructor of the Function object. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446."}, {"lang": "es", "value": "Los documentos de ONLYOFFICE anteriores a la versi\u00f3n 8.0.1 permiten XSS porque una macro es una expresi\u00f3n de funci\u00f3n invocada inmediatamente (IIFE) y, por lo tanto, es posible un escape de la zona protegida llamando directamente al constructor del objeto Funci\u00f3n. NOTA: este problema existe debido a una correcci\u00f3n incorrecta de CVE-2021-43446."}], "lastModified": "2024-09-20T15:18:06.593", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:onlyoffice:document_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B634F3FB-249D-4101-8578-24312F9F943E", "versionEndExcluding": "8.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}