Approved changes feed: RSS · Atom

cpe:2.3:a:onlyoffice:document_server:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorOnlyoffice (aa7cc050-0dc3-5b16-8f30-50874a0ca7d2)
ProductDocument Server (98959d25-6982-5419-9a75-714317655e7f)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:github/onlyoffice/documentserver purl2cpe 2026-06-01 10:18:00.395255

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2025-68936 vulnerable 2026-06-08 07:41:21.951318 Details available
MEDIUM (6.4)
ONLYOFFICE Docs before 9.2.1 allows XSS via the Color theme name. This is related to DocumentServer.
Published: 2025-12-25T20:07:55.864Z
Updated: 2025-12-26T14:51:24.365Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-68935 vulnerable 2026-06-08 07:41:21.951093 Details available
MEDIUM (6.4)
ONLYOFFICE Docs before 9.2.1 allows XSS via the Font field for the Multilevel list settings window. This is related to DocumentServer.
Published: 2025-12-25T20:05:48.545Z
Updated: 2025-12-26T14:51:29.788Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2025-68917 vulnerable 2026-06-08 07:41:21.910903 Details available
MEDIUM (6.4)
ONLYOFFICE Docs before 9.2.1 allows XSS in the textarea of the comment editing form. This is related to DocumentServer.
Published: 2025-12-24T20:19:25.402Z
Updated: 2025-12-24T20:38:16.538Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-50883 vulnerable 2026-06-08 06:16:16.939003 Details available
ONLYOFFICE Docs before 8.0.1 allows XSS because a macro is an immediately-invoked function expression (IIFE), and therefore a sandbox escape is possible by directly calling the constructor of the Function object. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446.
Published: 2024-09-09T00:00:00.000Z
Updated: 2024-09-10T14:24:40.310Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-46988 vulnerable 2026-06-08 06:14:23.757482 Details available
Path Traversal vulnerability in ONLYOFFICE Document Server before v8.0.1 allows a remote attacker to copy arbitrary files by manipulating the fileExt parameter in the /example/editor endpoint, leading to unauthorized access to sensitive files and potential Denial of Service (DoS).
Published: 2025-04-01T00:00:00.000Z
Updated: 2025-04-15T22:29:50.052Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-30188 vulnerable 2026-06-08 06:02:43.884555 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-30187 vulnerable 2026-06-08 06:02:43.884070 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-30186 vulnerable 2026-06-08 06:02:43.883516 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-48422 vulnerable 2026-06-08 05:51:34.485130 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-29777 vulnerable 2026-06-08 05:42:48.808123 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-29776 vulnerable 2026-06-08 05:42:48.807702 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2022-24229 vulnerable 2026-06-08 05:40:59.754543 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-3199 vulnerable 2026-06-08 05:33:51.023555 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-25833 vulnerable 2026-06-08 05:30:41.593650 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-25832 vulnerable 2026-06-08 05:30:41.593165 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-25831 vulnerable 2026-06-08 05:30:41.592770 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-25830 vulnerable 2026-06-08 05:30:41.592257 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2021-25829 vulnerable 2026-06-08 05:30:41.591767 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.