CVE-2024-44085 in Docs
Summary
by MITRE • 09/09/2024
ONLYOFFICE Docs before 8.1.0 allows XSS via a GeneratorFunction Object attack against a macro. This is related to use of an immediately-invoked function expression (IIFE) for a macro. NOTE: this issue exists because of an incorrect fix for CVE-2021-43446 and CVE-2023-50883.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/10/2025
The vulnerability CVE-2024-44085 represents a cross-site scripting weakness in ONLYOFFICE Docs versions prior to 8.1.0 that stems from improper handling of macro execution within the document processing environment. This flaw specifically targets the GeneratorFunction object implementation and leverages immediately-invoked function expressions to execute malicious code in the context of the application's web interface. The vulnerability manifests when macros are processed within documents, creating an attack surface where untrusted input can be transformed into executable JavaScript code that bypasses normal security boundaries.
The technical implementation of this vulnerability involves the manipulation of JavaScript's GeneratorFunction constructor to create malicious code execution paths within macro contexts. When a document containing a crafted macro is processed, the application's macro engine fails to properly sanitize or validate the GeneratorFunction object usage, allowing attackers to inject and execute arbitrary JavaScript code. The attack exploits the fact that GeneratorFunction objects can be constructed dynamically and executed in ways that bypass traditional input validation mechanisms, particularly when these objects are used within IIFE patterns that are commonly employed in macro scripting environments.
This vulnerability creates significant operational impact within enterprise environments where ONLYOFFICE Docs is deployed for collaborative document editing and processing. The XSS vector allows attackers to execute malicious scripts in the context of authenticated users, potentially leading to session hijacking, data exfiltration, or privilege escalation within the application. The vulnerability is particularly concerning because it affects document processing functionality where users might unknowingly open malicious documents containing crafted macros, making it a persistent threat in environments where document sharing is common.
The root cause of this vulnerability lies in the flawed remediation of previous XSS issues, specifically CVE-2021-43446 and CVE-2023-50883, where the initial fixes were incomplete or overly restrictive in their approach. The developers' attempt to address earlier vulnerabilities created a new attack vector by not properly accounting for the dynamic nature of GeneratorFunction objects within macro processing contexts. This demonstrates the complexity of securing web applications that process user-generated content through macro systems, where traditional input sanitization approaches may prove insufficient against sophisticated exploitation techniques. The vulnerability aligns with CWE-79 Cross-site Scripting and follows patterns seen in ATT&CK technique T1059.007 for script-based execution, highlighting the need for comprehensive input validation and proper context-aware sanitization in macro processing environments.
Organizations should immediately upgrade to ONLYOFFICE Docs version 8.1.0 or later to address this vulnerability, as the patch includes proper sanitization of GeneratorFunction objects and improved macro execution context validation. Additionally, administrators should implement network-level controls to monitor and restrict document processing activities, particularly for documents from untrusted sources. The mitigation strategy should also include user education regarding the risks of opening documents from unknown origins and implementing strict access controls for macro-enabled document processing environments to minimize the potential impact of successful exploitation attempts.