CVE-2020-12432

Name of the Vulnerable Software and Affected Versions Vereign Collabora CODE versions through 4.2.2

Description The issue concerns the WOPI API integration, which fails to properly restrict JavaScript delivery to a victim's browser and lacks proper MIME type access control. This could lead to cross-site scripting (XSS) attacks that steal account credentials via cookies or local storage. To exploit this, an attacker must first obtain an API access token, potentially by uploading a .docx or .odt file. The associated API endpoints for exploitation are "/wopi/files" and "/wopi/getAccessToken".

Recommendations For versions through 4.2.2, as a temporary workaround, consider restricting access to the "/wopi/files" and "/wopi/getAccessToken" API endpoints to minimize the risk of exploitation. Avoid allowing uploads of potentially malicious files, such as .docx or .odt, until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.