andrewaeva/gist:beb92d3d2f1c5672dbda5050e323f6a0

## gistfile1.txt
CVE-2020-11534

[Suggested description]
An issue was discovered in ONLYOFFICE Document Server 5.5.0.
An attacker can craft a malicious .docx file, and exploit the NSFileDownloader
function to pass parameters to a binary (such as curl or wget) and remotely execute code on
a victim's server.

------------------------------------------

[VulnerabilityType Other]
Remote code execution

------------------------------------------

[Vendor of Product]
https://www.onlyoffice.com/

------------------------------------------

[Affected Product Code Base]
https://github.com/ONLYOFFICE/DocumentServer-5.5.0

------------------------------------------

[Affected Component]
DocumentServer

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Code execution]
true

------------------------------------------

[Attack Vectors]
To exploit the vulnerability, attacker must craft malicious docx file
to exploit NSFileDownloader function, which execute curl/wget with
attackers parameters and remotely execute code on victims server.

------------------------------------------

[Discoverer]
Yandex Security Team, Andrew Krasichkov

------------------------------------------

[Reference]
https://www.onlyoffice.com/blog/
https://github.com/ONLYOFFICE/DocumentServer/commits/master


CVE-2020-11535

[Suggested description]
An issue was discovered in ONLYOFFICE Document Server 5.5.0.
An attacker can craft a malicious .docx file, and exploit XML injection to enter an
attacker-controlled parameter into the x2t binary, to rewrite this binary and/or libxcb.so.1, and execute code on
a victim's server.

------------------------------------------

[VulnerabilityType Other]
Remote code execution

------------------------------------------

[Vendor of Product]
https://www.onlyoffice.com/

------------------------------------------

[Affected Product Code Base]
https://github.com/ONLYOFFICE/DocumentServer-5.5.0

------------------------------------------

[Affected Component]
DocumentServer

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Code execution]
true

------------------------------------------

[Attack Vectors]
To exploit the vulnerability, attacker must craft malicious docx file to rewrite libxcb.so.1 and remotely execute code on victims server.

------------------------------------------

[Discoverer]
Yandex Security Team, Andrew Krasichkov

------------------------------------------

[Reference]
https://www.onlyoffice.com/blog/


CVE-2020-11536

[Suggested description]
An issue was discovered in ONLYOFFICE Document Server 5.5.0.
An attacker can craft a malicious .docx file, and exploit the unzip function to rewrite
a binary and remotely execute code on a victim's server.

------------------------------------------

[VulnerabilityType Other]
Remote code execution

------------------------------------------

[Vendor of Product]
https://www.onlyoffice.com/

------------------------------------------

[Affected Product Code Base]
https://github.com/ONLYOFFICE/DocumentServer- 5.5.0

------------------------------------------

[Affected Component]
DocumentServer

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Code execution]
true

------------------------------------------

[Attack Vectors]
To exploit the vulnerability, attacker must craft malicious docx file
to exploit unzip function to rewrite some binary and remotely execute
code on victims server.

------------------------------------------

[Discoverer]
Yandex Security Team, Andrew Krasichkov

------------------------------------------

[Reference]
https://www.onlyoffice.com/blog/
https://github.com/ONLYOFFICE/DocumentServer/commits/master


CVE-2020-11537

[Suggested description]
A SQL Injection issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can execute arbitrary SQL queries via injection to DocID parameter of Websocket API.

------------------------------------------

[Vulnerability Type]
SQL Injection

------------------------------------------

[Vendor of Product]
https://www.onlyoffice.com/

------------------------------------------

[Affected Product Code Base]
https://github.com/ONLYOFFICE/DocumentServer-5.5.0

------------------------------------------

[Affected Component]
DocumentServer

------------------------------------------

[Attack Type]
Remote

------------------------------------------

[Impact Information Disclosure]
true

------------------------------------------

[Attack Vectors]
To exploit the vulnerability, attacker must concat SQLi string, for
example ' UNION SELECT 1,2 FROM pg_sleep(10);-- to DocID parameter in
Websocket API.

------------------------------------------

[Discoverer]
Yandex Security Team, Eldar Zaitov

------------------------------------------

[Reference]
https://www.onlyoffice.com/blog/
	CVE-2020-11534

	[Suggested description]
	An issue was discovered in ONLYOFFICE Document Server 5.5.0.
	An attacker can craft a malicious .docx file, and exploit the NSFileDownloader
	function to pass parameters to a binary (such as curl or wget) and remotely execute code on
	a victim's server.

	------------------------------------------

	[VulnerabilityType Other]
	Remote code execution

	------------------------------------------

	[Vendor of Product]
	https://www.onlyoffice.com/

	------------------------------------------

	[Affected Product Code Base]
	https://github.com/ONLYOFFICE/DocumentServer-5.5.0

	------------------------------------------

	[Affected Component]
	DocumentServer

	------------------------------------------

	[Attack Type]
	Remote

	------------------------------------------

	[Impact Code execution]
	true

	------------------------------------------

	[Attack Vectors]
	To exploit the vulnerability, attacker must craft malicious docx file
	to exploit NSFileDownloader function, which execute curl/wget with
	attackers parameters and remotely execute code on victims server.

	------------------------------------------

	[Discoverer]
	Yandex Security Team, Andrew Krasichkov

	------------------------------------------

	[Reference]
	https://www.onlyoffice.com/blog/
	https://github.com/ONLYOFFICE/DocumentServer/commits/master


	CVE-2020-11535

	[Suggested description]
	An issue was discovered in ONLYOFFICE Document Server 5.5.0.
	An attacker can craft a malicious .docx file, and exploit XML injection to enter an
	attacker-controlled parameter into the x2t binary, to rewrite this binary and/or libxcb.so.1, and execute code on
	a victim's server.

	------------------------------------------

	[VulnerabilityType Other]
	Remote code execution

	------------------------------------------

	[Vendor of Product]
	https://www.onlyoffice.com/

	------------------------------------------

	[Affected Product Code Base]
	https://github.com/ONLYOFFICE/DocumentServer-5.5.0

	------------------------------------------

	[Affected Component]
	DocumentServer

	------------------------------------------

	[Attack Type]
	Remote

	------------------------------------------

	[Impact Code execution]
	true

	------------------------------------------

	[Attack Vectors]
	To exploit the vulnerability, attacker must craft malicious docx file to rewrite libxcb.so.1 and remotely execute code on victims server.

	------------------------------------------

	[Discoverer]
	Yandex Security Team, Andrew Krasichkov

	------------------------------------------

	[Reference]
	https://www.onlyoffice.com/blog/


	CVE-2020-11536

	[Suggested description]
	An issue was discovered in ONLYOFFICE Document Server 5.5.0.
	An attacker can craft a malicious .docx file, and exploit the unzip function to rewrite
	a binary and remotely execute code on a victim's server.

	------------------------------------------

	[VulnerabilityType Other]
	Remote code execution

	------------------------------------------

	[Vendor of Product]
	https://www.onlyoffice.com/

	------------------------------------------

	[Affected Product Code Base]
	https://github.com/ONLYOFFICE/DocumentServer- 5.5.0

	------------------------------------------

	[Affected Component]
	DocumentServer

	------------------------------------------

	[Attack Type]
	Remote

	------------------------------------------

	[Impact Code execution]
	true

	------------------------------------------

	[Attack Vectors]
	To exploit the vulnerability, attacker must craft malicious docx file
	to exploit unzip function to rewrite some binary and remotely execute
	code on victims server.

	------------------------------------------

	[Discoverer]
	Yandex Security Team, Andrew Krasichkov

	------------------------------------------

	[Reference]
	https://www.onlyoffice.com/blog/
	https://github.com/ONLYOFFICE/DocumentServer/commits/master


	CVE-2020-11537

	[Suggested description]
	A SQL Injection issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can execute arbitrary SQL queries via injection to DocID parameter of Websocket API.

	------------------------------------------

	[Vulnerability Type]
	SQL Injection

	------------------------------------------

	[Vendor of Product]
	https://www.onlyoffice.com/

	------------------------------------------

	[Affected Product Code Base]
	https://github.com/ONLYOFFICE/DocumentServer-5.5.0

	------------------------------------------

	[Affected Component]
	DocumentServer

	------------------------------------------

	[Attack Type]
	Remote

	------------------------------------------

	[Impact Information Disclosure]
	true

	------------------------------------------

	[Attack Vectors]
	To exploit the vulnerability, attacker must concat SQLi string, for
	example ' UNION SELECT 1,2 FROM pg_sleep(10);-- to DocID parameter in
	Websocket API.

	------------------------------------------

	[Discoverer]
	Yandex Security Team, Eldar Zaitov

	------------------------------------------

	[Reference]
	https://www.onlyoffice.com/blog/