File Overwriting Vulnerability in ONLYOFFICE DocumentServer
CVE-2021-25833

9.8CRITICAL

Key Information:

Vendor

Onlyoffice

Status
Document Server
Vendor
CVE Published:
1 March 2021

What is CVE-2021-25833?

A vulnerability in the ONLYOFFICE DocumentServer allows attackers to manipulate file extensions via crafted requests. This could lead to arbitrary file overwriting, enabling remote code execution on affected installations. Specifically, versions 4.2.0.71 through 5.6.0.21 are susceptible to this threat, which can be exploited by remote attackers to execute arbitrary code on the server, potentially compromising sensitive data and system integrity.

References

https://github.com/ONLYOFFICE/DocumentServer
x_refsource_MISC
https://github.com/ONLYOFFICE/server
x_refsource_MISC
https://github.com/ONLYOFFICE/server/blob/v5.6.0.21/DocSe...
x_refsource_MISC

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2021-25833 : File Overwriting Vulnerability in ONLYOFFICE DocumentServer