CVE-2021-25833

Name of the Vulnerable Software and Affected Versions ONLYOFFICE DocumentServer versions 4.2.0.71 through 5.6.0.21

Description A file extension handling issue was found in the server module of ONLYOFFICE DocumentServer. The file extension can be controlled by an attacker through the request data, leading to arbitrary file overwriting. This issue allows a remote attacker to obtain remote code execution on DocumentServer.

Recommendations For versions 4.2.0.71 through 5.6.0.21, consider restricting access to the server module until a patch is available. As a temporary workaround, avoid using the vulnerable file extension handling functionality in the request data. At the moment, there is no information about a newer version that contains a fix for this vulnerability.