Anton Fabricius

**Name of the Vulnerable Software and Affected Versions** ONLYOFFICE Docs versions prior to 8.0.1 **Description** The issue is related to an incorrect fix for a previous problem, which allows for Cross-Site Scripting (XSS) due to a macro being an immediately-invoked function expression (IIFE). This enables a sandbox escape by directly calling the constructor of the `Function` object. **Recommendations** For versions prior to 8.0.1, update to version 8.0.1 or later to resolve the issue. As a temporary workaround, consider restricting the execution of macros to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ONLYOFFICE Docs versions prior to 8.1.0 **Description** The issue is related to a cross-site scripting (XSS) flaw in ONLYOFFICE Docs, which occurs through a GeneratorFunction Object attack on a macro. This is connected to the use of an immediately-invoked function expression. **Recommendations** For versions prior to 8.1.0, update to version 8.1.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of macros in ONLYOFFICE Docs until the update is applied.