CVE-2021-43449

Published: Jan 23, 2023Modified: Apr 2, 2025

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Server-Side Request Forgery (SSRF). The document editor service can be abused to read and serve arbitrary URLs as a document.

Affected (1)

Products: Onlyoffice: Server

Onlyoffice

1 product

Server

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Onlyoffice Server	Up to 7.0.0.49

Related CWEs

CWE-918

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (6)

https://github.com/ONLYOFFICE/server

Source: cve@mitre.org

Third Party Advisory

https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution/

Source: cve@mitre.org

ExploitMitigationThird Party Advisory

https://www.onlyoffice.com/

Source: cve@mitre.org

ProductVendor Advisory

https://github.com/ONLYOFFICE/server

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMitigationThird Party Advisory

https://www.onlyoffice.com/

Source: af854a3a-2127-422b-91ae-364da2661108

ProductVendor Advisory

Timeline

No history available yet.