Multiple vulnerabilities in ONLYOFFICE Document Server 5.5.0.
CVE-2020-11534 | |
[Suggested description] | |
An issue was discovered in ONLYOFFICE Document Server 5.5.0. | |
An attacker can craft a malicious .docx file, and exploit the NSFileDownloader | |
function to pass parameters to a binary (such as curl or wget) and remotely execute code on | |
a victim's server. | |
------------------------------------------ | |
[VulnerabilityType Other] | |
Remote code execution | |
------------------------------------------ | |
[Vendor of Product] | |
https://www.onlyoffice.com/ | |
------------------------------------------ | |
[Affected Product Code Base] | |
https://github.com/ONLYOFFICE/DocumentServer-5.5.0 | |
------------------------------------------ | |
[Affected Component] | |
DocumentServer | |
------------------------------------------ | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[Impact Code execution] | |
true | |
------------------------------------------ | |
[Attack Vectors] | |
To exploit the vulnerability, attacker must craft malicious docx file | |
to exploit NSFileDownloader function, which execute curl/wget with | |
attackers parameters and remotely execute code on victims server. | |
------------------------------------------ | |
[Discoverer] | |
Yandex Security Team, Andrew Krasichkov | |
------------------------------------------ | |
[Reference] | |
https://www.onlyoffice.com/blog/ | |
https://github.com/ONLYOFFICE/DocumentServer/commits/master | |
CVE-2020-11535 | |
[Suggested description] | |
An issue was discovered in ONLYOFFICE Document Server 5.5.0. | |
An attacker can craft a malicious .docx file, and exploit XML injection to enter an | |
attacker-controlled parameter into the x2t binary, to rewrite this binary and/or libxcb.so.1, and execute code on | |
a victim's server. | |
------------------------------------------ | |
[VulnerabilityType Other] | |
Remote code execution | |
------------------------------------------ | |
[Vendor of Product] | |
https://www.onlyoffice.com/ | |
------------------------------------------ | |
[Affected Product Code Base] | |
https://github.com/ONLYOFFICE/DocumentServer-5.5.0 | |
------------------------------------------ | |
[Affected Component] | |
DocumentServer | |
------------------------------------------ | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[Impact Code execution] | |
true | |
------------------------------------------ | |
[Attack Vectors] | |
To exploit the vulnerability, attacker must craft malicious docx file to rewrite libxcb.so.1 and remotely execute code on victims server. | |
------------------------------------------ | |
[Discoverer] | |
Yandex Security Team, Andrew Krasichkov | |
------------------------------------------ | |
[Reference] | |
https://www.onlyoffice.com/blog/ | |
CVE-2020-11536 | |
[Suggested description] | |
An issue was discovered in ONLYOFFICE Document Server 5.5.0. | |
An attacker can craft a malicious .docx file, and exploit the unzip function to rewrite | |
a binary and remotely execute code on a victim's server. | |
------------------------------------------ | |
[VulnerabilityType Other] | |
Remote code execution | |
------------------------------------------ | |
[Vendor of Product] | |
https://www.onlyoffice.com/ | |
------------------------------------------ | |
[Affected Product Code Base] | |
https://github.com/ONLYOFFICE/DocumentServer- 5.5.0 | |
------------------------------------------ | |
[Affected Component] | |
DocumentServer | |
------------------------------------------ | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[Impact Code execution] | |
true | |
------------------------------------------ | |
[Attack Vectors] | |
To exploit the vulnerability, attacker must craft malicious docx file | |
to exploit unzip function to rewrite some binary and remotely execute | |
code on victims server. | |
------------------------------------------ | |
[Discoverer] | |
Yandex Security Team, Andrew Krasichkov | |
------------------------------------------ | |
[Reference] | |
https://www.onlyoffice.com/blog/ | |
https://github.com/ONLYOFFICE/DocumentServer/commits/master | |
CVE-2020-11537 | |
[Suggested description] | |
A SQL Injection issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can execute arbitrary SQL queries via injection to DocID parameter of Websocket API. | |
------------------------------------------ | |
[Vulnerability Type] | |
SQL Injection | |
------------------------------------------ | |
[Vendor of Product] | |
https://www.onlyoffice.com/ | |
------------------------------------------ | |
[Affected Product Code Base] | |
https://github.com/ONLYOFFICE/DocumentServer-5.5.0 | |
------------------------------------------ | |
[Affected Component] | |
DocumentServer | |
------------------------------------------ | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[Impact Information Disclosure] | |
true | |
------------------------------------------ | |
[Attack Vectors] | |
To exploit the vulnerability, attacker must concat SQLi string, for | |
example ' UNION SELECT 1,2 FROM pg_sleep(10);-- to DocID parameter in | |
Websocket API. | |
------------------------------------------ | |
[Discoverer] | |
Yandex Security Team, Eldar Zaitov | |
------------------------------------------ | |
[Reference] | |
https://www.onlyoffice.com/blog/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment