CVE-2025-5301

Published Jun 12, 2025

Last updated a month ago

CVSS medium 6.1

Overview

Description
ONLYOFFICE Docs (DocumentServer) in versions equal and below 8.3.1 are affected by a reflected cross-site scripting (XSS) issue when opening files via the WOPI protocol. Attackers could inject malicious scripts via crafted HTTP POST requests, which are then reflected in the server's HTML response.
Source
551230f0-3615-47bd-b7cc-93e92e730bbf
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
6.1
Impact score
2.7
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Weaknesses

551230f0-3615-47bd-b7cc-93e92e730bbf
CWE-79

Social media

Hype score
Not currently trending

  1. CVE-2025-5301 ONLYOFFICE Docs (DocumentServer) in versions equal and below 8.3.1 are affected by a reflected cross-site scripting (XSS) issue when opening files via the WOPI protocol… https://t.co/Ykb7navcGt

    @CVEnew

    12 Jun 2025

    440 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.