exploitDog

CVE-2024-44085

Опубликовано: 09 сент. 2024

Источник: nvd

CVSS3: 6.1

EPSS Низкий

Описание

ONLYOFFICE Docs before 8.1.0 allows XSS via a GeneratorFunction Object attack against a macro. This is related to use of an immediately-invoked function expression (IIFE) for a macro. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446 and CVE-2023-50883.

Ссылки

https://www.onlyoffice.com/
Product
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-027.txt
Exploit
Third Party Advisory
https://www.syss.de/pentest-blog/cross-site-scripting-schwachstelle-in-onlyoffice-docs-syss-2023-027
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:onlyoffice:onlyoffice:*:*:*:*:document_server:*:*:*

Версия до 8.1.0 (исключая)

EPSS

Процентиль: 65%

0.00491

Низкий

6.1 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-54cp-27ww-4fm3

CVSS3: 6.1

github

больше 1 года назад

ONLYOFFICE Docs before 8.1.0 allows XSS via a GeneratorFunction Object attack against a macro. This is related to use of an immediately-invoked function expression (IIFE) for a macro. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446 and CVE-2023-50883.

EPSS

Процентиль: 65%

0.00491

Низкий

6.1 Medium

CVSS3

Дефекты

CWE-79