I read in your Changelog (https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#fixes-2) that version 7.3.0 fixes a vulnerability that allow to add an admin via macros.
I cannot find any information on that vulnerability on the forum or on Github.
Could you tell me more about it and how you fixed it ?
Document Server version: 7.3.0
Type of installation of the Document Server (docker, deb/rpm, exe): docker
OS: Debian Bookworm
Browser version: not relevant
What information are you looking for?
A kind user reported it to us on HackerOne, providing a vulnerability reproduction script.
The commit fixing bug 60088 is available at the following link: Fix/bug 60088 ([#3175])
Thank you for you detailed answer !
This confirms that I need to perform an update ASAP
Have a nice day
We always recommend to make a backup before performing any actions on the server where ONLYOFFICE software is deployed.
Just a quick additional questions I won’t have time to update the server this week (community run society): Would it be sufficient for now to just disable the macros ?
I am using the Nextcloud integration so I was wondering if the XSS affects Nextcloud admin users or just Onlyoffice users ?
Very sorry for the long delay
You can disable plugins and macros in the connector settings