DELTA OBSCURA

We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.

Our Partners

OnlyOffice Community Server - v12.7.0 - Cross-Site Scripting

By 0xhamy 03:26 PM - October 22nd 2025
Type software
Product Environment web
Product Name OnlyOffice Community Server
Product Vendor Ascensio System SIA
Product Version 12.7.0
Product Link https://github.com/ONLYOFFICE/Docker-CommunityServer
Vulnerability Name Cross-Site Scripting
Severity High
CVSS String
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CVSS Score 8.7
CVE ID CVE-2025-10254
Vendor Acknowledgement Yes
Affected digital Assets
10523
Affected Users
1052300
Date of Reporting Feb 17, 2025
PoC Exploit -
Credit 0xhamy,daeda1us

Description

ONLYOFFICE Community Server allows HTML in project comments and accepts embedded SVG images, enabling stored cross-site scripting (XSS).
An attacker can post a comment containing a base64-encoded SVG with JavaScript; when other users view the comment thread, the script executes in their browsers.

Vulnerability Details

Project comment fields accept raw HTML, including <img> tags whose src can be a data: URL.
SVGs loaded via data:image/svg+xml;base64,... are parsed by the browser, and SVG event attributes (e.g., onload) execute JavaScript.
Because comments are persisted and rendered to other users, this is a stored XSS vector.

Steps to Reproduce

  1. Open a project message thread with comments enabled.
    Example (local test instance):
    http://127.0.0.1:8088/Products/Projects/Messages.aspx?prjID=1&id=1#comments

  2. Prepare an SVG payload and base64-encode it.
    Example SVG:

    <svg xmlns="http://www.w3.org/2000/svg" width="200" height="200"
     onload="alert('xss')">
  <rect width="200" height="200" fill="lightblue"/>
</svg>

  3. Post a comment containing a base64-embedded SVG via <img> tag.

    <img
  src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyMDAiIGhlaWdodD0iMjAwIiBvbmxvYWQ9ImFsZXJ0KCd4c3MnKSI+PHJlY3Qgd2lkdGg9IjIwMCIgaGVpZ2h0PSIyMDAiIGZpbGw9ImxpZ2h0Ymx1ZSIgLz48L3N2Zz4="
  alt="XSS">

  4. View the comment thread.
    When the page renders the comment, the browser loads the SVG from the data: URL and fires onload, executing the JavaScript (e.g., an alert).

Recommendation

  • Disallow SVG in user content, or strictly sanitize SVG (remove scripts/event handlers, external references).
  • Strip data: URLs or restrict <img src> to vetted schemes and MIME types (e.g., https + raster images only).
  • HTML sanitization: use a robust allow-list sanitizer (e.g., DOMPurify with ADD_TAGS/FORBID_ATTR configured) before storing/rendering comments.
  • CSP hardening: deploy restrictive Content-Security-Policy (disable data: for images if feasible; disallow inline scripts with nonces).

How we calculate affected digital assets

Methodology

Digital assets affected by a piece of software or hardware can include installations and real-world usage of that product across servers, websites, IoT devices, and other connected systems.

Data sources we use

  • For many web technologies, we use BuiltWith to estimate how many websites currently use a given product. Example: Vvveb usage statistics on BuiltWith .
  • For products that include telemetry or licensing beacons, we may rely on vendor-reported deployment figures to estimate the number of active installations.

Example: a vendor might share that their firewall product is deployed across a certain number of customer networks or appliances (similar to how a vendor such as NetSweeper reports its deployment footprint). We use those deployment counts as a proxy for affected digital assets.

How we estimate affected users

Estimation

The affected users value is an estimate of how many people are likely exposed to the vulnerability through the impacted assets.

Inputs we consider

  • Vendor data: when available, we use user or deployment counts provided by the vendor (for example, via telemetry, analytics, or licensing systems).
  • Asset-based estimate: when vendor data is not available, we use a conservative baseline of 100 users per asset and multiply it by the number of affected assets.

Example calculation

Suppose a vulnerability affects:

  • 20 IoT devices
  • 40 servers
  • 40 websites

Total affected assets: 20 + 40 + 40 = 100
Using our conservative baseline of 100 users per asset:

Estimated affected users: 100 assets × 100 users = 10,000 users

This approach intentionally aims to be conservative; it gives us a consistent way to compare impact across vulnerabilities and understand the approximate number of users we help protect.