CVE-2025-68936
📋 TL;DR
This vulnerability allows cross-site scripting (XSS) attacks through the Color theme name feature in ONLYOFFICE Docs. Attackers can inject malicious scripts that execute in users' browsers when they interact with affected documents. This affects organizations using ONLYOFFICE DocumentServer versions before 9.2.1.
💻 Affected Systems
- ONLYOFFICE Docs
- ONLYOFFICE DocumentServer
📦 What is this software?
Document Server by Onlyoffice
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.
Likely Case
Session hijacking, credential theft, or unauthorized actions within the document collaboration environment.
If Mitigated
Limited impact with proper content security policies and input validation, though some data exposure may still occur.
🎯 Exploit Status
XSS vulnerabilities typically have low exploitation complexity, but this requires user interaction with malicious content.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.2.1
Vendor Advisory: https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#921
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Download ONLYOFFICE DocumentServer 9.2.1 or later. 3. Stop the DocumentServer service. 4. Install the updated version. 5. Restart the DocumentServer service. 6. Verify the update was successful.
🔧 Temporary Workarounds
Implement Content Security Policy
allAdd CSP headers to restrict script execution from untrusted sources
Add 'Content-Security-Policy' header to web server configuration
Disable Color Theme Customization
allRestrict user ability to set custom Color theme names if not required
Modify DocumentServer configuration to disable theme name customization
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block XSS payloads
- Educate users about not clicking suspicious links or opening untrusted documents
🔍 How to Verify
Check if Vulnerable:
Check DocumentServer version via web interface admin panel or system logsCheck Version:
Check ONLYOFFICE Docs version in web interface or run: docker exec onlyoffice-documentserver cat /etc/onlyoffice/documentserver/package.json | grep versionVerify Fix Applied:
Verify version is 9.2.1 or later and test XSS payloads are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual theme name entries containing script tags
- Multiple failed theme name validation attempts
Network Indicators:
- HTTP requests with suspicious theme name parameters containing script payloads
SIEM Query:
source="onlyoffice" AND (theme_name CONTAINS "<script>" OR theme_name CONTAINS "javascript:")