Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Document_server
(Onlyoffice)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 17 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-08-14 | CVE-2023-30186 | A use after free issue discovered in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file. | Document_server | 9.8 | ||
| 2023-08-14 | CVE-2023-30187 | An out of bounds memory access vulnerability in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file. | Document_server | 9.8 | ||
| 2023-08-14 | CVE-2023-30188 | Memory Exhaustion vulnerability in ONLYOFFICE Document Server 4.0.3 through 7.3.2 allows remote attackers to cause a denial of service via crafted JavaScript file. | Document_server | 7.5 | ||
| 2023-03-19 | CVE-2022-48422 | ONLYOFFICE Docs through 7.3 on certain Linux distributions allows local users to gain privileges via a Trojan horse libgcc_s.so.1 in the current working directory, which may be any directory in which an ONLYOFFICE document is located. | Document_server | 7.8 | ||
| 2022-06-02 | CVE-2022-29776 | Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via the component DesktopEditor/common/File.cpp. | Core, Document_server | 9.8 | ||
| 2022-06-02 | CVE-2022-29777 | Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a heap overflow via the component DesktopEditor/fontengine/fontconverter/FontFileBase.h. | Core, Document_server | 9.8 | ||
| 2021-01-26 | CVE-2021-3199 | Directory traversal with remote code execution can occur in /upload in ONLYOFFICE Document Server before 5.6.3, when JWT is used, via a /.. sequence in an image upload parameter. | Document_server | 9.8 | ||
| 2022-04-08 | CVE-2022-24229 | A cross-site scripting (XSS) vulnerability in ONLYOFFICE Document Server Example before v7.0.0 allows remote attackers inject arbitrary HTML or JavaScript through /example/editor. | Document_server | 6.1 | ||
| 2021-03-01 | CVE-2021-25833 | A file extension handling issue was found in [server] module of ONLYOFFICE DocumentServer v4.2.0.71-v5.6.0.21. The file extension is controlled by an attacker through the request data and leads to arbitrary file overwriting. Using this vulnerability, a remote attacker can obtain remote code execution on DocumentServer. | Document_server | 9.8 | ||
| 2021-03-01 | CVE-2021-25832 | A heap buffer overflow vulnerability inside of BMP image processing was found at [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v6.0.0. Using this vulnerability, an attacker is able to gain remote code executions on DocumentServer. | Document_server | 9.8 |