Originally published at: ONLYOFFICE Docs 7.3.3 with important fixes is here | ONLYOFFICE Blog
In this hotfix, we eliminated numerous bugs and successfully patched the recently discovered CVE-20222-47412 vulnerability. Read on for more information.
What was improved in version 7.3.3
Version 7.3.3 includes numerous fixes in all editors, mobile apps, ONLYOFFICE Docs backend, and plugins. You can access full changelog on our GitHub.
Most importantly, CVE-2022-47412 vulnerability was successfully fixed. Researchers initially associated the vulnerability with ONLYOFFICE Workspace code. In fact, it was executable through ONLYOFFICE Docs.
CVE-2022-47412, an instance of CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), was initially discovered by Rapid7 researcher Matthew Kienow in February 2023.
Generally speaking, it is a Multiple DMS XSS vulnerability that allows the intruder to retrieve information about the targeted user’s client. The intruder shares a malicious document that contains a cross-site scripting (XSS) code. When the document is saved within a document management system and the user performs a search action within document content in ONLYOFFICE Docs, the action triggers the execution of the XSS in the user’s browser.
Possible impact may be impersonation of a privileged user within organization’s portal by stealing the user’s session cookie or executing custom commands on behalf of the victim by hooking their browser.
The detailed scenario is described in the original report.
How to report vulnerabilities to ONLYOFFICE team
Submission of the vulnerabilities to ONLYOFFICE security team is done through ONLYOFFICE HackerOne program. To avoid the security risks, we recommend following our Disclosure Policy.
If you wish to apply for an invitation to the bug bounty program, contact us at firstname.lastname@example.org and specify your nickname, associated email, and the details about your findings.