CVE-2020-11536 in Document Server
Summary
by MITRE
An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attacker can craft a malicious .docx file, and exploit the unzip function to rewrite a binary and remotely execute code on a victim's server.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/07/2025
The vulnerability identified as CVE-2020-11536 represents a critical security flaw in ONLYOFFICE Document Server version 5.5.0 that stems from improper handling of archive extraction operations. This issue manifests through a path traversal vulnerability within the application's unzip functionality, allowing malicious actors to manipulate file extraction processes and potentially overwrite critical system binaries. The vulnerability exists in the document processing pipeline where user-supplied .docx files are decompressed and processed, creating an attack surface that can be exploited without authentication.
The technical exploitation of this vulnerability leverages a classic path traversal mechanism within the unzip function implementation. When the application processes a maliciously crafted .docx file, the decompression routine fails to properly validate or sanitize file paths contained within the archive structure. This allows an attacker to include specially crafted path references that can overwrite files in the application's installation directory or other system locations. The flaw specifically relates to CWE-22 Path Traversal and CWE-427 Uncontrolled Search Path Element, where the application's extraction logic does not properly restrict file destinations during decompression operations.
From an operational standpoint, this vulnerability presents a severe risk to organizations relying on ONLYOFFICE Document Server for document processing and collaboration. An attacker who successfully exploits this vulnerability can achieve remote code execution on the target server, potentially gaining full administrative control over the system. The attack requires only the ability to upload or process a malicious .docx file, making it particularly dangerous in environments where users can submit documents for processing. The remote execution capability allows for arbitrary command injection, data exfiltration, and persistence mechanisms that can be leveraged for further network infiltration.
The attack vector typically involves an attacker creating a specially crafted .docx file that contains a malicious file structure with path traversal sequences in the archive entries. When the Document Server processes this file, the unzip function extracts files to locations outside the intended directory, potentially overwriting critical system binaries or creating backdoor access points. This vulnerability aligns with ATT&CK technique T1059 Command and Scripting Interpreter and T1078 Valid Accounts, as it enables attackers to execute commands and potentially establish persistent access through compromised server resources.
Organizations should immediately apply the vendor-provided patch for ONLYOFFICE Document Server version 5.5.0 to remediate this vulnerability. Additionally, implementing network segmentation and access controls can limit the potential impact of exploitation attempts. Security monitoring should focus on unusual file processing patterns and unexpected binary modifications in Document Server directories. Input validation and sanitization measures should be strengthened to prevent malicious archive content from being processed, and regular security assessments should verify that decompression functions properly validate file paths and destinations to prevent similar vulnerabilities from emerging in other components of the document processing pipeline.