Vulnerabilities (CVE)

  1. OpenCVE
  2. Vulnerabilities (CVE)
Filtered by vendor Onlyoffice Subscribe
Total 26 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-25829 1 Onlyoffice 1 Document Server 2023-12-10 7.8 HIGH 7.5 HIGH
An improper binary stream data handling issue was found in the [core] module of ONLYOFFICE DocumentServer v4.0.0-9-v5.6.3. Using this bug, an attacker is able to produce a denial of service attack that can eventually shut down the target server.
CVE-2021-25833 1 Onlyoffice 1 Document Server 2023-12-10 7.5 HIGH 9.8 CRITICAL
A file extension handling issue was found in [server] module of ONLYOFFICE DocumentServer v4.2.0.71-v5.6.0.21. The file extension is controlled by an attacker through the request data and leads to arbitrary file overwriting. Using this vulnerability, a remote attacker can obtain remote code execution on DocumentServer.
CVE-2020-11534 1 Onlyoffice 1 Document Server 2023-12-10 7.5 HIGH 9.8 CRITICAL
An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can craft a malicious .docx file, and exploit the NSFileDownloader function to pass parameters to a binary (such as curl or wget) and remotely execute code on a victim's server.
CVE-2020-11537 1 Onlyoffice 1 Document Server 2023-12-10 7.5 HIGH 9.8 CRITICAL
A SQL Injection issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can execute arbitrary SQL queries via injection to DocID parameter of Websocket API.
CVE-2020-11536 1 Onlyoffice 1 Document Server 2023-12-10 7.5 HIGH 9.8 CRITICAL
An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can craft a malicious .docx file, and exploit the unzip function to rewrite a binary and remotely execute code on a victim's server.
CVE-2020-11535 1 Onlyoffice 1 Document Server 2023-12-10 7.5 HIGH 9.8 CRITICAL
An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can craft a malicious .docx file, and exploit XML injection to enter an attacker-controlled parameter into the x2t binary, to rewrite this binary and/or libxcb.so.1, and execute code on a victim's server.