PT-2021-23955 · Collabora · Collabora Online
Timarp
·
Published
2021-12-13
·
Updated
2021-12-15
·
CVE-2021-43817
CVSS v3.1
8.2
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N |
Name of the Vulnerable Software and Affected Versions:
Collabora Online versions prior to 4.2.20
Collabora Online versions prior to 6.4.16
Description:
A reflected XSS vulnerability was found in Collabora Online, a collaborative online office suite based on LibreOffice technology. An attacker could inject unescaped HTML into a variable as they created the Collabora Online iframe, and execute scripts inside the context of the Collabora Online iframe. This would give access to a small set of user settings stored in the browser, as well as the session's authentication token which was also passed in at iframe creation time.
Recommendations:
For Collabora Online versions prior to 4.2.20, upgrade to Collabora Online 4.2.20 or higher.
For Collabora Online versions prior to 6.4.16, upgrade to Collabora Online 6.4.16 or higher.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Collabora Online