Skip to main content

Document Server

17 CVEs product

Monthly

CVE-2023-46988 MEDIUM POC This Month

Path Traversal vulnerability in ONLYOFFICE Document Server before v8.0.1 allows a remote attacker to copy arbitrary files by manipulating the fileExt parameter in the /example/editor endpoint,. Rated medium severity (CVSS 6.7), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.

Authentication Bypass Path Traversal Denial Of Service Document Server
NVD
CVSS 3.1
6.7
EPSS
0.3%
CVE-2023-30188 HIGH POC PATCH This Week

Memory Exhaustion vulnerability in ONLYOFFICE Document Server 4.0.3 through 7.3.2 allows remote attackers to cause a denial of service via crafted JavaScript file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Document Server
NVD GitHub
CVSS 3.1
7.5
EPSS
1.8%
CVE-2023-30187 CRITICAL POC PATCH Act Now

An out of bounds memory access vulnerability in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Buffer Overflow RCE Document Server
NVD GitHub
CVSS 3.1
9.8
EPSS
1.9%
CVE-2023-30186 CRITICAL POC PATCH Act Now

A use after free issue discovered in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Memory Corruption Use After Free RCE Document Server
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
1.8%
CVE-2022-29777 CRITICAL POC PATCH Act Now

Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a heap overflow via the component DesktopEditor/fontengine/fontconverter/FontFileBase.h. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Buffer Overflow Core Document Server
NVD GitHub
CVSS 3.1
9.8
EPSS
6.9%
CVE-2022-29776 CRITICAL POC PATCH Act Now

Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via the component DesktopEditor/common/File.cpp. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Buffer Overflow Core Document Server
NVD GitHub
CVSS 3.1
9.8
EPSS
6.9%
CVE-2022-24229 MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in ONLYOFFICE Document Server Example before v7.0.0 allows remote attackers inject arbitrary HTML or JavaScript through /example/editor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Document Server
NVD GitHub
CVSS 3.1
6.1
EPSS
1.8%
CVE-2021-25833 CRITICAL POC THREAT Act Now

A file extension handling issue was found in [server] module of ONLYOFFICE DocumentServer v4.2.0.71-v5.6.0.21. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal Document Server
NVD GitHub
CVSS 3.1
9.8
EPSS
43.5%
CVE-2021-25832 CRITICAL POC THREAT Act Now

A heap buffer overflow vulnerability inside of BMP image processing was found at [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v6.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption Document Server
NVD GitHub
CVSS 3.1
9.8
EPSS
12.6%
CVE-2021-25831 CRITICAL POC THREAT Act Now

A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Document Server
NVD GitHub
CVSS 3.1
9.8
EPSS
11.5%
CVE-2021-25830 CRITICAL POC THREAT Act Now

A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.2.0.236-v5.6.4.13. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Document Server
NVD GitHub
CVSS 3.1
9.8
EPSS
11.8%
CVE-2021-25829 HIGH POC This Week

An improper binary stream data handling issue was found in the [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Document Server
NVD GitHub
CVSS 3.1
7.5
EPSS
7.4%
CVE-2021-3199 CRITICAL POC Act Now

Directory traversal with remote code execution can occur in /upload in ONLYOFFICE Document Server before 5.6.3, when JWT is used, via a /.. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal Document Server
NVD GitHub
CVSS 3.1
9.8
EPSS
8.2%
CVE-2020-11537 CRITICAL Act Now

A SQL Injection issue was discovered in ONLYOFFICE Document Server 5.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Document Server
NVD GitHub
CVSS 3.1
9.8
EPSS
1.5%
CVE-2020-11536 CRITICAL Act Now

An issue was discovered in ONLYOFFICE Document Server 5.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Document Server
NVD GitHub
CVSS 3.1
9.8
EPSS
2.6%
CVE-2020-11535 CRITICAL Act Now

An issue was discovered in ONLYOFFICE Document Server 5.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Document Server
NVD GitHub
CVSS 3.1
9.8
EPSS
2.3%
CVE-2020-11534 CRITICAL Act Now

An issue was discovered in ONLYOFFICE Document Server 5.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Document Server
NVD GitHub
CVSS 3.1
9.8
EPSS
2.2%
EPSS 0% CVSS 6.7
MEDIUM POC This Month

Path Traversal vulnerability in ONLYOFFICE Document Server before v8.0.1 allows a remote attacker to copy arbitrary files by manipulating the fileExt parameter in the /example/editor endpoint,. Rated medium severity (CVSS 6.7), this vulnerability is no authentication required. Public exploit code available and no vendor patch available.

Authentication Bypass Path Traversal Denial Of Service +1
NVD
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

Memory Exhaustion vulnerability in ONLYOFFICE Document Server 4.0.3 through 7.3.2 allows remote attackers to cause a denial of service via crafted JavaScript file. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Document Server
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

An out of bounds memory access vulnerability in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Buffer Overflow RCE +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

A use after free issue discovered in ONLYOFFICE DocumentServer 4.0.3 through 7.3.2 allows remote attackers to run arbitrary code via crafted JavaScript file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Memory Corruption Use After Free +2
NVD GitHub VulDB
EPSS 7% CVSS 9.8
CRITICAL POC PATCH Act Now

Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a heap overflow via the component DesktopEditor/fontengine/fontconverter/FontFileBase.h. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Buffer Overflow Core +1
NVD GitHub
EPSS 7% CVSS 9.8
CRITICAL POC PATCH Act Now

Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via the component DesktopEditor/common/File.cpp. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Memory Corruption Buffer Overflow Core +1
NVD GitHub
EPSS 2% CVSS 6.1
MEDIUM POC This Month

A cross-site scripting (XSS) vulnerability in ONLYOFFICE Document Server Example before v7.0.0 allows remote attackers inject arbitrary HTML or JavaScript through /example/editor. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Document Server
NVD GitHub
EPSS 44% CVSS 9.8
CRITICAL POC THREAT Act Now

A file extension handling issue was found in [server] module of ONLYOFFICE DocumentServer v4.2.0.71-v5.6.0.21. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal Document Server
NVD GitHub
EPSS 13% CVSS 9.8
CRITICAL POC THREAT Act Now

A heap buffer overflow vulnerability inside of BMP image processing was found at [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v6.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Memory Corruption Document Server
NVD GitHub
EPSS 12% CVSS 9.8
CRITICAL POC THREAT Act Now

A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Document Server
NVD GitHub
EPSS 12% CVSS 9.8
CRITICAL POC THREAT Act Now

A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.2.0.236-v5.6.4.13. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Document Server
NVD GitHub
EPSS 7% CVSS 7.5
HIGH POC This Week

An improper binary stream data handling issue was found in the [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Document Server
NVD GitHub
EPSS 8% CVSS 9.8
CRITICAL POC Act Now

Directory traversal with remote code execution can occur in /upload in ONLYOFFICE Document Server before 5.6.3, when JWT is used, via a /.. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal Document Server
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL Act Now

A SQL Injection issue was discovered in ONLYOFFICE Document Server 5.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Document Server
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL Act Now

An issue was discovered in ONLYOFFICE Document Server 5.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Document Server
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

An issue was discovered in ONLYOFFICE Document Server 5.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Document Server
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

An issue was discovered in ONLYOFFICE Document Server 5.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Document Server
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy