CVE-2023-50883 in Docs
Summary
by MITRE • 09/09/2024
ONLYOFFICE Docs before 8.0.1 allows XSS because a macro is an immediately-invoked function expression (IIFE), and therefore a sandbox escape is possible by directly calling the constructor of the Function object. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/10/2025
The vulnerability identified as CVE-2023-50883 affects ONLYOFFICE Docs versions prior to 8.0.1 and represents a critical cross-site scripting flaw that stems from improper handling of macro execution within the document processing environment. This vulnerability specifically exploits the way macros are processed when they are implemented as immediately-invoked function expressions, creating a sandbox escape condition that allows malicious code execution. The flaw emerged from an incorrect remediation approach for a previously identified vulnerability CVE-2021-43446, demonstrating how security fixes can sometimes introduce new attack vectors when not carefully implemented. The root cause lies in the JavaScript execution environment where macro code can directly access the Function constructor, bypassing intended security boundaries.
The technical implementation of this vulnerability occurs when a malicious macro is crafted as an IIFE that can leverage the Function constructor to escape the sandboxed execution environment. This allows attackers to execute arbitrary JavaScript code within the context of the victim's browser session, potentially leading to full compromise of the user's interaction with the document processing application. The vulnerability is particularly dangerous because it operates at the core of document macro processing, where users might unknowingly execute malicious content while working with documents that contain crafted macros. The sandbox escape mechanism specifically targets the JavaScript engine's security model, where the Function constructor provides direct access to the underlying execution environment that should normally be restricted.
The operational impact of CVE-2023-50883 extends beyond simple XSS exploitation to potentially enable more severe attack vectors including session hijacking, data exfiltration, and persistent malicious code execution within user browsers. Attackers can craft documents containing malicious macros that, when opened by unsuspecting users, will execute the crafted JavaScript code directly in the browser context. This creates a significant risk for organizations using ONLYOFFICE Docs for collaborative document editing, as users may unknowingly open compromised documents that contain the malicious macros. The vulnerability affects both local and remote attack scenarios, as documents can be distributed through various channels including email attachments, shared document repositories, or collaborative platforms where users might download and open documents without proper security scanning.
Organizations should immediately implement mitigations including updating to ONLYOFFICE Docs version 8.0.1 or later, which contains the proper fix for this vulnerability. Additionally, administrators should consider implementing strict document validation policies that prevent execution of macros in untrusted documents, and deploy web application firewalls that can detect and block malicious JavaScript patterns. The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and follows ATT&CK technique T1059.007 for JavaScript execution. Security teams should also consider implementing user education programs to raise awareness about the risks of opening documents from untrusted sources, particularly in collaborative environments where document sharing is common. Regular security assessments and penetration testing should be conducted to identify similar sandbox escape vulnerabilities in other document processing applications within the organization's technology stack.