CVE-2023-34088

Name of the Vulnerable Software and Affected Versions Collabora Online versions prior to 22.05.13 Collabora Online versions prior to 21.11.9.1 Collabora Online versions prior to 6.4.27

Description A stored cross-site scripting (XSS) issue was found in Collabora Online. An attacker could create a document with an XSS payload as a document name. If an administrator opened the admin console and navigated to the history page, the document name was injected as unescaped HTML and executed as a script inside the context of the admin console. This could lead to the leak of the administrator JSON web token (JWT) used for the websocket connection.

Recommendations For Collabora Online versions prior to 22.05.13, upgrade to Collabora Online 22.05.13 or higher to receive a patch. For Collabora Online versions prior to 21.11.9.1, upgrade to Collabora Online 21.11.9.1 or higher to receive a patch. For Collabora Online versions prior to 6.4.27, upgrade to Collabora Online 6.4.27 or higher to receive a patch.