PT-2021-16807 · Onlyoffice · Onlyoffice Document Server

Published

2021-03-01

Updated

2021-10-29

CVE-2021-25832

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ONLYOFFICE DocumentServer versions 4.0.0 through 6.0.0

Description A heap buffer overflow vulnerability was found in the BMP image processing of the [core] module. This issue allows an attacker to gain remote code execution on the DocumentServer.

Recommendations For versions 4.0.0 through 6.0.0, update to a version that fixes the heap buffer overflow vulnerability in the BMP image processing module. As a temporary workaround, consider disabling the BMP image processing functionality in the [core] module until a patch is available.

Exploit

Fix

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787

Related Identifiers

CVE-2021-25832

Affected Products

Onlyoffice Document Server

PT-2021-16807 · Onlyoffice · Onlyoffice Document Server

CVE-2021-25832

Weakness Enumeration

Related Identifiers

Affected Products

References · 13