CVE-2021-25830 Information

Jun 07, 2022 cve

Description

A file extension handling issue was found in [core] module of ONLYOFFICE DocumentServer v4.2.0.236-v5.6.4.13. An attacker must request the conversion of the crafted file from DOCT into DOCX format. Using the chain of two other bugs related to improper string handling an attacker can achieve remote code execution on DocumentServer.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://github.com/ONLYOFFICE/core/blob/v5.6.4.13/ASCOfficePPTXFile/PPTXFormat/Logic/UniFill.cpp#L343 https://github.com/ONLYOFFICE/core https://github.com/ONLYOFFICE/DocumentServer https://github.com/ONLYOFFICE/core/blob/v5.6.4.13/ASCOfficePPTXFile/Editor/BinaryFileReaderWriter.cpp#L1918 https://github.com/ONLYOFFICE/core/blob/v5.6.4.13/ASCOfficePPTXFile/Editor/BinaryFileReaderWriter.cpp#L241 https://github.com/merrychap/poc_exploits/tree/master/ONLYOFFICE/CVE-2021-25830

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8

Share on: