CVE-2025-5301 Scanner

ONLYOFFICE Docs (DocumentServer) is a widely used software in collaborative environments, providing document editing and management features to businesses and educational institutions. This platform is employed by multiple users to edit, create, and share various types of documents including text, spreadsheets, and presentations. With its compatibility across different operating systems, ONLYOFFICE Docs integrates seamlessly with various storage services, enhancing its versatility and user access. Being a web-based service, it's accessible from any device with internet connectivity, making it a popular choice among users who require real-time collaborative features. Organizations utilize ONLYOFFICE Docs to streamline workflows and boost productivity by enabling simultaneous editing and comments on shared documents. Often deployed in enterprise environments, this tool is ideal for teams focused on achieving efficient document handling and collaboration.

The reflected Cross-Site Scripting (XSS) vulnerability in ONLYOFFICE Docs (DocumentServer) allows attackers to inject malicious scripts through unsanitized HTTP POST requests. This vulnerability arises from inadequate input validation within the WOPI protocol, leading to the inclusion of untrusted data in HTML responses. XSS attacks exploit this weakness to execute scripts in the context of the victim's browser, potentially compromising user data and interactions. Attackers can craft malicious payloads that, upon execution, hijack sessions, record keystrokes, or redirect users to phishing sites. By exploiting this flaw, adversaries gain unauthorized access to sensitive information, potentially leading to further compromise of user accounts. The concern involves manipulating the DOM with malicious scripts capable of altering the web application's intended functionalities.

The vulnerability details highlight how specifically crafted HTTP POST requests can inject malicious JavaScript into ONLYOFFICE Docs (DocumentServer), leveraging the unsanitized 'dchat' parameter. The endpoint '/hosting/wopi/word/edit' misuses user input reflected in the HTML response, leading to potential script execution in user's browsers. An essential factor in exploiting this vulnerability is the presence of improper sanitization mechanisms for crafted input values. Successful exploitation depends on luring users into executing dangerous scripts, commonly through social engineering tactics or phishing attacks. The technical execution involves appending script tags to vulnerable query parameters, resulting in the execution of arbitrary scripts. Furthermore, insufficient server-side filtering enables reflection of crafted scripts back to users' browsers.

The possible effects of exploiting this Cross-Site Scripting (XSS) vulnerability include unauthorized access to users' session cookies and personal data. Attackers might perform actions on behalf of the victims, such as sending unauthorized commands or manipulating online content. Successful exploitation could lead to reputational damage for organizations relying on ONLYOFFICE Docs (DocumentServer) for document collaboration. Users' trust in the service might erode, leading to reduced usage or abandonment. Furthermore, such vulnerabilities open paths for subsequent attacks like privilege escalation, where the attacker gains higher system privileges. Additionally, the act of script injection might facilitate other malicious activities, such as distributing malware or performing denial of service on specific components.

REFERENCES

• https://github.com/ONLYOFFICE/
• https://seclists.org/fulldisclosure/2025/Jun/18
• https://nvd.nist.gov/vuln/detail/CVE-2025-5301
• https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#832
• https://r.sec-consult.com/onlyoffice