ONLYOFFICE Docs Vulnerable to XSS via GeneratorFunction Object Attack
CVE-2024-44085

Currently unrated

Key Information:

Vendor

ONLYOFFICE

Status
Onlyoffice
Vendor
CVE Published:
9 September 2024

What is CVE-2024-44085?

ONLYOFFICE Docs before 8.1.0 allows XSS via a GeneratorFunction Object attack against a macro. This is related to use of an immediately-invoked function expression (IIFE) for a macro. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446 and CVE-2023-50883.

References

https://www.onlyoffice.com/
https://www.syss.de/fileadmin/dokumente/Publikationen/Adv...
https://www.syss.de/pentest-blog/cross-site-scripting-sch...

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2024-44085 : ONLYOFFICE Docs Vulnerable to XSS via GeneratorFunction Object Attack