Hi,
I read in your Changelog (https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#fixes-2) that version 7.3.0 fixes a vulnerability that allow to add an admin via macros.
I cannot find any information on that vulnerability on the forum or on Github.
Could you tell me more about it and how you fixed it ?
Document Server version: 7.3.0
Type of installation of the Document Server (docker, deb/rpm, exe): docker
OS: Debian Bookworm
Browser version: not relevant
Regards,
Hey, @keo 
What information are you looking for?
A kind user reported it to us on HackerOne, providing a vulnerability reproduction script.
The commit fixing bug 60088 is available at the following link: Fix/bug 60088 ([#3175])
Hi Nikolas,
Thank you for you detailed answer !
This confirms that I need to perform an update ASAP 
Have a nice day 
Aye, sir.
We always recommend to make a backup before performing any actions on the server where ONLYOFFICE software is deployed.
Hi @Nikolas,
Just a quick additional questions I won’t have time to update the server this week (community run society): Would it be sufficient for now to just disable the macros ?
I am using the Nextcloud integration so I was wondering if the XSS affects Nextcloud admin users or just Onlyoffice users ?
Regards,
Very sorry for the long delay 
You can disable plugins and macros in the connector settings
