ONLYOFFICE Docs 7.3.3 with important fixes is here

Originally published at: ONLYOFFICE Docs 7.3.3 with important fixes is here | ONLYOFFICE Blog

In this hotfix, we eliminated numerous bugs and successfully patched the recently discovered CVE-20222-47412 vulnerability. Read on for more information.

CVE-2022-47412 fixed in ONLYOFFICE

What was improved in version 7.3.3

Version 7.3.3 includes numerous fixes in all editors, mobile apps, ONLYOFFICE Docs backend, and plugins. You can access full changelog on our GitHub.

Most importantly, CVE-2022-47412 vulnerability was successfully fixed. Researchers initially associated the vulnerability with ONLYOFFICE Workspace code. In fact, it was executable through ONLYOFFICE Docs.

About CVE-2022-47412

CVE-2022-47412, an instance of CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), was initially discovered by Rapid7 researcher Matthew Kienow in February 2023.

Generally speaking, it is a Multiple DMS XSS vulnerability that allows the intruder to retrieve information about the targeted user’s client. The intruder shares a malicious document that contains a cross-site scripting (XSS) code. When the document is saved within a document management system and the user performs a search action within document content in ONLYOFFICE Docs, the action triggers the execution of the XSS in the user’s browser.

Possible impact may be impersonation of a privileged user within organization’s portal by stealing the user’s session cookie or executing custom commands on behalf of the victim by hooking their browser.

The detailed scenario is described in the original report.

How to report vulnerabilities to ONLYOFFICE team

Submission of the vulnerabilities to ONLYOFFICE security team is done through ONLYOFFICE HackerOne program. To avoid the security risks, we recommend following our Disclosure Policy.

If you wish to apply for an invitation to the bug bounty program, contact us at security@onlyoffice.com and specify your nickname, associated email, and the details about your findings.

Useful links

ONLYOFFICE Docs 7.3.3 on GitHub

Download the latest version of ONLYOFFICE Docs

About ONLYOFFICE HackerOne program

Security in ONLYOFFICE solutions

I got the update for docker and the desktop app, thanks! Will there be an update for the iOS app as well, or is 7.2 still the latest version for that?

Hello @ps_iclimbthings
Yes, we released v.7.3 for iOS yesterday.

Thank you so much, excited that mobile collaboration is working again :slight_smile:

Do you mean the situation which was described in your topic here? Co-editing no longer working in iOS app
We’re still working on the mentioned bug 60238. We’re glad that the update has helped in your situation, but we are continuing our investigation.

Yes, with 7.3 co-editing is now fixed on iOS. Running 7.3 in docker, iOS app, and MacOS app, can co-edit with iOS app and MacOS app both open to same document.

Understood, but we’re continuing our investigation anyway in case of other users who might face the same situation.