CVE-2021-43444

Name of the Vulnerable Software and Affected Versions ONLYOFFICE versions prior to 2021-11-08

Description Incorrect access control allows signed document download URLs to be forged because of a weak default URL signing key. Additionally, an unauthenticated WebSocket allows for document downloads, macro injection, and Server-Side Request Forgery (SSRF), which is a technique where an attacker forces a server to make requests to an unintended location. This is facilitated by a default JSON Web Token (JWT) key set to secret.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.