CVE-2021-43448

Published: Jan 23, 2023Modified: Apr 2, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Exploitability: 1.6 / Impact: 3.6

Source: NVD

Description

ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Improper Input Validation. A lack of input validation can allow an attacker to spoof the names of users who interact with a document, if the document id is known.

Affected (1)

Products: Onlyoffice: Server

Onlyoffice

1 product

Server

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Onlyoffice Server	Up to 7.0.0.49

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (6)

https://github.com/ONLYOFFICE/server

Source: cve@mitre.org

Third Party Advisory

https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution/

Source: cve@mitre.org

ExploitMitigationThird Party Advisory

https://www.onlyoffice.com/

Source: cve@mitre.org

ProductVendor Advisory

https://github.com/ONLYOFFICE/server

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMitigationThird Party Advisory

https://www.onlyoffice.com/

Source: af854a3a-2127-422b-91ae-364da2661108

ProductVendor Advisory

Timeline

No history available yet.