Macro Vulnerability Details


I read in your Changelog ( that version 7.3.0 fixes a vulnerability that allow to add an admin via macros.
I cannot find any information on that vulnerability on the forum or on Github.
Could you tell me more about it and how you fixed it ?

Document Server version: 7.3.0
Type of installation of the Document Server (docker, deb/rpm, exe): docker
OS: Debian Bookworm
Browser version: not relevant


Hey, @keo :wave:

What information are you looking for?

A kind user reported it to us on HackerOne, providing a vulnerability reproduction script.

The commit fixing bug 60088 is available at the following link: Fix/bug 60088 ([#3175])


1 Like

Hi Nikolas,

Thank you for you detailed answer !

This confirms that I need to perform an update ASAP :slight_smile:

Have a nice day :wave:

1 Like

Aye, sir.
We always recommend to make a backup before performing any actions on the server where ONLYOFFICE software is deployed.


Hi @Nikolas,

Just a quick additional questions I won’t have time to update the server this week (community run society): Would it be sufficient for now to just disable the macros ?

I am using the Nextcloud integration so I was wondering if the XSS affects Nextcloud admin users or just Onlyoffice users ?



Very sorry for the long delay :pray:
You can disable plugins and macros in the connector settings