DELTA OBSCURA

We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.

GitHub

OnlyOffice Community Server - v12.7.0 - Cross-Site Scripting

By 0xhamy 03:26 PM - October 22nd 2025
Type software
Product Environment web
Product Name OnlyOffice Community Server
Product Vendor Ascensio System SIA
Product Version 12.7.0
Product Link https://github.com/ONLYOFFICE/Docker-CommunityServer
Vulnerability Name Cross-Site Scripting
Severity High
CVSS String CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CVSS Score 8.7
CVE ID CVE-2025-10254
Vendor Acknowledgement Yes
Affected digital Assets 10523
Affected Users 1052300
Date of Reporting Feb 17, 2025
PoC Exploit -
Credit 0xhamy,daeda1us

Description

ONLYOFFICE Community Server allows HTML in project comments and accepts embedded SVG images, enabling stored cross-site scripting (XSS).
An attacker can post a comment containing a base64-encoded SVG with JavaScript; when other users view the comment thread, the script executes in their browsers.

Vulnerability Details

Project comment fields accept raw HTML, including <img> tags whose src can be a data: URL.
SVGs loaded via data:image/svg+xml;base64,... are parsed by the browser, and SVG event attributes (e.g., onload) execute JavaScript.
Because comments are persisted and rendered to other users, this is a stored XSS vector.

Steps to Reproduce

  1. Open a project message thread with comments enabled.
    Example (local test instance):
    http://127.0.0.1:8088/Products/Projects/Messages.aspx?prjID=1&id=1#comments

  2. Prepare an SVG payload and base64-encode it.
    Example SVG:

    <svg xmlns="http://www.w3.org/2000/svg" width="200" height="200"
     onload="alert('xss')">
  <rect width="200" height="200" fill="lightblue"/>
</svg>

  3. Post a comment containing a base64-embedded SVG via <img> tag.

    <img
  src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyMDAiIGhlaWdodD0iMjAwIiBvbmxvYWQ9ImFsZXJ0KCd4c3MnKSI+PHJlY3Qgd2lkdGg9IjIwMCIgaGVpZ2h0PSIyMDAiIGZpbGw9ImxpZ2h0Ymx1ZSIgLz48L3N2Zz4="
  alt="XSS">

  4. View the comment thread.
    When the page renders the comment, the browser loads the SVG from the data: URL and fires onload, executing the JavaScript (e.g., an alert).

Recommendation

  • Disallow SVG in user content, or strictly sanitize SVG (remove scripts/event handlers, external references).
  • Strip data: URLs or restrict <img src> to vetted schemes and MIME types (e.g., https + raster images only).
  • HTML sanitization: use a robust allow-list sanitizer (e.g., DOMPurify with ADD_TAGS/FORBID_ATTR configured) before storing/rendering comments.
  • CSP hardening: deploy restrictive Content-Security-Policy (disable data: for images if feasible; disallow inline scripts with nonces).