CVE-2025-68935
📋 TL;DR
CVE-2025-68935 is a cross-site scripting (XSS) vulnerability in ONLYOFFICE Docs DocumentServer that allows attackers to inject malicious scripts via the Font field in Multilevel list settings. This affects users of ONLYOFFICE Docs DocumentServer who open malicious documents. The vulnerability could lead to session hijacking, data theft, or unauthorized actions.
💻 Affected Systems
- ONLYOFFICE Docs DocumentServer
📦 What is this software?
Document Server by Onlyoffice
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on client systems.
Likely Case
Session hijacking leading to unauthorized access to documents and user accounts within the ONLYOFFICE environment.
If Mitigated
Limited impact with proper content security policies, input validation, and user awareness about opening untrusted documents.
🎯 Exploit Status
Exploitation requires creating a malicious document with crafted font field and convincing victim to open it. No authentication bypass needed beyond document access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.2.1
Vendor Advisory: https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#921
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Stop ONLYOFFICE DocumentServer service. 3. Update to version 9.2.1 using package manager or manual installation. 4. Restart ONLYOFFICE DocumentServer service. 5. Verify version and functionality.
🔧 Temporary Workarounds
Content Security Policy Enhancement
allImplement strict CSP headers to prevent script execution from untrusted sources
Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server configuration
Input Validation Proxy
allDeploy WAF or reverse proxy to sanitize font field inputs
Configure ModSecurity or similar WAF with XSS detection rules
🧯 If You Can't Patch
- Restrict document uploads to trusted sources only
- Implement user education about opening untrusted documents
🔍 How to Verify
Check if Vulnerable:
Check ONLYOFFICE DocumentServer version. If version is below 9.2.1, system is vulnerable.Check Version:
Check web interface admin panel or run: docker exec onlyoffice-documentserver cat /etc/onlyoffice/documentserver/package.json | grep versionVerify Fix Applied:
After patching, verify version is 9.2.1 or higher and test document processing functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual font names in document processing logs
- Multiple failed document processing attempts with special characters
Network Indicators:
- Documents with suspicious font field content being uploaded
- Unexpected script tags in document server responses
SIEM Query:
source="onlyoffice" AND (font:*script* OR font:*javascript* OR font:*onload* OR font:*onerror*)