CVE-2023-34088
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in Collabora Online allows attackers to create documents with malicious names containing JavaScript payloads. When administrators view the history page in the admin console, the unescaped document name executes in their browser context, potentially leaking their JSON web token (JWT) used for websocket connections. This affects all Collabora Online instances running vulnerable versions before the patched releases.
💻 Affected Systems
- Collabora Online
📦 What is this software?
Collabora Online by Collaboraoffice
Collabora Online by Collaboraoffice
Collabora Online by Collaboraoffice
⚠️ Risk & Real-World Impact
Worst Case
Administrator JWT token theft leading to full administrative compromise of the Collabora Online instance, potentially enabling further attacks on the infrastructure or data exfiltration.
Likely Case
Administrator session hijacking allowing unauthorized access to administrative functions and sensitive document management operations.
If Mitigated
Limited impact with proper input validation and output encoding, though administrative access could still be temporarily compromised.
🎯 Exploit Status
Exploitation requires creating a document with malicious name and waiting for administrator to view history page. No authentication bypass needed for initial document creation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.05.13, 21.11.9.1, or 6.4.27
Vendor Advisory: https://github.com/CollaboraOnline/online/security/advisories/GHSA-7582-pwfh-3pwr
Restart Required: Yes
Instructions:
1. Backup your Collabora Online configuration and data. 2. Stop the Collabora Online service. 3. Update to version 22.05.13 or higher, 21.11.9.1 or higher, or 6.4.27 or higher. 4. Restart the Collabora Online service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Document Creation
allLimit document creation to trusted users only and implement document name validation to reject suspicious characters.
Admin Console Access Restriction
allRestrict access to the admin console history page or implement additional authentication requirements for administrative functions.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in document names
- Disable or restrict access to the admin console history page functionality
🔍 How to Verify
Check if Vulnerable:
Check your Collabora Online version. If it's below 22.05.13, 21.11.9.1, or 6.4.27, you are vulnerable.Check Version:
Check Collabora Online web interface admin panel or consult installation documentation for version checking method.Verify Fix Applied:
After patching, verify the version is 22.05.13 or higher, 21.11.9.1 or higher, or 6.4.27 or higher. Test that document names are properly escaped in the admin console history page.📡 Detection & Monitoring
Log Indicators:
- Unusual document creation patterns with special characters in names
- Multiple failed attempts to access admin console
Network Indicators:
- Unexpected websocket connections using administrator tokens
- Outbound connections to suspicious domains from admin console
SIEM Query:
Document creation events with payload-like strings in name field OR admin console access followed by external network connections