Created
April 15, 2020 13:16
-
-
Save andrewaeva/beb92d3d2f1c5672dbda5050e323f6a0 to your computer and use it in GitHub Desktop.
Multiple vulnerabilities in ONLYOFFICE Document Server 5.5.0.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CVE-2020-11534 | |
[Suggested description] | |
An issue was discovered in ONLYOFFICE Document Server 5.5.0. | |
An attacker can craft a malicious .docx file, and exploit the NSFileDownloader | |
function to pass parameters to a binary (such as curl or wget) and remotely execute code on | |
a victim's server. | |
------------------------------------------ | |
[VulnerabilityType Other] | |
Remote code execution | |
------------------------------------------ | |
[Vendor of Product] | |
https://www.onlyoffice.com/ | |
------------------------------------------ | |
[Affected Product Code Base] | |
https://github.com/ONLYOFFICE/DocumentServer-5.5.0 | |
------------------------------------------ | |
[Affected Component] | |
DocumentServer | |
------------------------------------------ | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[Impact Code execution] | |
true | |
------------------------------------------ | |
[Attack Vectors] | |
To exploit the vulnerability, attacker must craft malicious docx file | |
to exploit NSFileDownloader function, which execute curl/wget with | |
attackers parameters and remotely execute code on victims server. | |
------------------------------------------ | |
[Discoverer] | |
Yandex Security Team, Andrew Krasichkov | |
------------------------------------------ | |
[Reference] | |
https://www.onlyoffice.com/blog/ | |
https://github.com/ONLYOFFICE/DocumentServer/commits/master | |
CVE-2020-11535 | |
[Suggested description] | |
An issue was discovered in ONLYOFFICE Document Server 5.5.0. | |
An attacker can craft a malicious .docx file, and exploit XML injection to enter an | |
attacker-controlled parameter into the x2t binary, to rewrite this binary and/or libxcb.so.1, and execute code on | |
a victim's server. | |
------------------------------------------ | |
[VulnerabilityType Other] | |
Remote code execution | |
------------------------------------------ | |
[Vendor of Product] | |
https://www.onlyoffice.com/ | |
------------------------------------------ | |
[Affected Product Code Base] | |
https://github.com/ONLYOFFICE/DocumentServer-5.5.0 | |
------------------------------------------ | |
[Affected Component] | |
DocumentServer | |
------------------------------------------ | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[Impact Code execution] | |
true | |
------------------------------------------ | |
[Attack Vectors] | |
To exploit the vulnerability, attacker must craft malicious docx file to rewrite libxcb.so.1 and remotely execute code on victims server. | |
------------------------------------------ | |
[Discoverer] | |
Yandex Security Team, Andrew Krasichkov | |
------------------------------------------ | |
[Reference] | |
https://www.onlyoffice.com/blog/ | |
CVE-2020-11536 | |
[Suggested description] | |
An issue was discovered in ONLYOFFICE Document Server 5.5.0. | |
An attacker can craft a malicious .docx file, and exploit the unzip function to rewrite | |
a binary and remotely execute code on a victim's server. | |
------------------------------------------ | |
[VulnerabilityType Other] | |
Remote code execution | |
------------------------------------------ | |
[Vendor of Product] | |
https://www.onlyoffice.com/ | |
------------------------------------------ | |
[Affected Product Code Base] | |
https://github.com/ONLYOFFICE/DocumentServer- 5.5.0 | |
------------------------------------------ | |
[Affected Component] | |
DocumentServer | |
------------------------------------------ | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[Impact Code execution] | |
true | |
------------------------------------------ | |
[Attack Vectors] | |
To exploit the vulnerability, attacker must craft malicious docx file | |
to exploit unzip function to rewrite some binary and remotely execute | |
code on victims server. | |
------------------------------------------ | |
[Discoverer] | |
Yandex Security Team, Andrew Krasichkov | |
------------------------------------------ | |
[Reference] | |
https://www.onlyoffice.com/blog/ | |
https://github.com/ONLYOFFICE/DocumentServer/commits/master | |
CVE-2020-11537 | |
[Suggested description] | |
A SQL Injection issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can execute arbitrary SQL queries via injection to DocID parameter of Websocket API. | |
------------------------------------------ | |
[Vulnerability Type] | |
SQL Injection | |
------------------------------------------ | |
[Vendor of Product] | |
https://www.onlyoffice.com/ | |
------------------------------------------ | |
[Affected Product Code Base] | |
https://github.com/ONLYOFFICE/DocumentServer-5.5.0 | |
------------------------------------------ | |
[Affected Component] | |
DocumentServer | |
------------------------------------------ | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[Impact Information Disclosure] | |
true | |
------------------------------------------ | |
[Attack Vectors] | |
To exploit the vulnerability, attacker must concat SQLi string, for | |
example ' UNION SELECT 1,2 FROM pg_sleep(10);-- to DocID parameter in | |
Websocket API. | |
------------------------------------------ | |
[Discoverer] | |
Yandex Security Team, Eldar Zaitov | |
------------------------------------------ | |
[Reference] | |
https://www.onlyoffice.com/blog/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment