DELTA OBSCURA

We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.

GitHub

OnlyOffice Community Server - v12.7.0 - Cross-Site Scripting (cross-origin)

By 0xhamy 03:37 PM - October 22nd 2025
Type software
Product Environment web
Product Name OnlyOffice Community Server
Product Vendor Ascensio System SIA
Product Version 12.7.0
Product Link https://github.com/ONLYOFFICE/Docker-CommunityServer
Vulnerability Name Cross-Site Scripting
Severity Low
CVSS String CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CVSS Score 4.6
CVE ID CVE-2025-10255
Vendor Acknowledgement Yes
Affected digital Assets 10523
Affected Users 1052300
Date of Reporting Feb 17, 2025
PoC Exploit -
Credit 0xhamy,daeda1us

Description

ONLYOFFICE Community Server (Projects) permits raw HTML in project comments and renders <iframe> elements, enabling stored HTML injection with third-party script execution in an embedded frame.
An attacker can post a comment that embeds a remote page inside an iframe. When other users view the thread, the external page loads and can run its own JavaScript within its origin. While the script cannot access ONLYOFFICE cookies or DOM due to the Same-Origin Policy, this still enables phishing, credential harvesting, UI redress, and drive-by actions inside the framed site.

Vulnerability Details

The comment editor accepts HTML and does not strip <iframe> tags or src attributes. Because comments are persisted and rendered to all viewers, a malicious iframe is stored and auto-loaded on every page view.
The embedded page executes in its own origin, so it cannot directly read or modify ONLYOFFICE data; however, it can:

  • Present deceptive UI to harvest credentials or tokens on the attacker’s site.
  • Load additional malware/trackers.
  • Attempt clickjacking-style tricks or social engineering within the frame.

Steps to Reproduce

  1. Prepare a malicious page to embed.
    Create index.html:

    <!doctype html>
<html>
  <head><title>Malicious Page</title></head>
  <body>
    <h1>Welcome</h1>
    <img src=x onerror="alert('xss')">
  </body>
</html>

    Serve it locally:

    python3 -m http.server 8000

  2. Open a project comments thread.
    Example (local instance):
    http://127.0.0.1:8088/Products/Projects/Messages.aspx?prjID=1&id=1#comments

  3. Post a comment that embeds the iframe.
    Switch to source/HTML mode and submit:

    <iframe src="http://127.0.0.1:8000/index.html"></iframe>

  4. View the thread.
    Reload or share the page. The iframe content loads and executes in the viewer’s browser within the attacker’s origin.

Recommendation

  • Strip or block <iframe> tags (and other embedding tags such as <object>, <embed>).
  • Sanitize HTML via an allow-list sanitizer before storing/rendering comments.
  • Harden CSP (e.g., disallow framing or restrict frame-src to trusted origins).
  • Consider disallowing data:/untrusted schemes in user content where feasible.