Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Multiple vulnerabilities in ONLYOFFICE Document Server 5.5.0.
CVE-2020-11534
[Suggested description]
An issue was discovered in ONLYOFFICE Document Server 5.5.0.
An attacker can craft a malicious .docx file, and exploit the NSFileDownloader
function to pass parameters to a binary (such as curl or wget) and remotely execute code on
a victim's server.
------------------------------------------
[VulnerabilityType Other]
Remote code execution
------------------------------------------
[Vendor of Product]
https://www.onlyoffice.com/
------------------------------------------
[Affected Product Code Base]
https://github.com/ONLYOFFICE/DocumentServer-5.5.0
------------------------------------------
[Affected Component]
DocumentServer
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Attack Vectors]
To exploit the vulnerability, attacker must craft malicious docx file
to exploit NSFileDownloader function, which execute curl/wget with
attackers parameters and remotely execute code on victims server.
------------------------------------------
[Discoverer]
Yandex Security Team, Andrew Krasichkov
------------------------------------------
[Reference]
https://www.onlyoffice.com/blog/
https://github.com/ONLYOFFICE/DocumentServer/commits/master
CVE-2020-11535
[Suggested description]
An issue was discovered in ONLYOFFICE Document Server 5.5.0.
An attacker can craft a malicious .docx file, and exploit XML injection to enter an
attacker-controlled parameter into the x2t binary, to rewrite this binary and/or libxcb.so.1, and execute code on
a victim's server.
------------------------------------------
[VulnerabilityType Other]
Remote code execution
------------------------------------------
[Vendor of Product]
https://www.onlyoffice.com/
------------------------------------------
[Affected Product Code Base]
https://github.com/ONLYOFFICE/DocumentServer-5.5.0
------------------------------------------
[Affected Component]
DocumentServer
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Attack Vectors]
To exploit the vulnerability, attacker must craft malicious docx file to rewrite libxcb.so.1 and remotely execute code on victims server.
------------------------------------------
[Discoverer]
Yandex Security Team, Andrew Krasichkov
------------------------------------------
[Reference]
https://www.onlyoffice.com/blog/
CVE-2020-11536
[Suggested description]
An issue was discovered in ONLYOFFICE Document Server 5.5.0.
An attacker can craft a malicious .docx file, and exploit the unzip function to rewrite
a binary and remotely execute code on a victim's server.
------------------------------------------
[VulnerabilityType Other]
Remote code execution
------------------------------------------
[Vendor of Product]
https://www.onlyoffice.com/
------------------------------------------
[Affected Product Code Base]
https://github.com/ONLYOFFICE/DocumentServer- 5.5.0
------------------------------------------
[Affected Component]
DocumentServer
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Code execution]
true
------------------------------------------
[Attack Vectors]
To exploit the vulnerability, attacker must craft malicious docx file
to exploit unzip function to rewrite some binary and remotely execute
code on victims server.
------------------------------------------
[Discoverer]
Yandex Security Team, Andrew Krasichkov
------------------------------------------
[Reference]
https://www.onlyoffice.com/blog/
https://github.com/ONLYOFFICE/DocumentServer/commits/master
CVE-2020-11537
[Suggested description]
A SQL Injection issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can execute arbitrary SQL queries via injection to DocID parameter of Websocket API.
------------------------------------------
[Vulnerability Type]
SQL Injection
------------------------------------------
[Vendor of Product]
https://www.onlyoffice.com/
------------------------------------------
[Affected Product Code Base]
https://github.com/ONLYOFFICE/DocumentServer-5.5.0
------------------------------------------
[Affected Component]
DocumentServer
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
To exploit the vulnerability, attacker must concat SQLi string, for
example ' UNION SELECT 1,2 FROM pg_sleep(10);-- to DocID parameter in
Websocket API.
------------------------------------------
[Discoverer]
Yandex Security Team, Eldar Zaitov
------------------------------------------
[Reference]
https://www.onlyoffice.com/blog/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.