CVE-2023-30186

Name of the Vulnerable Software and Affected Versions ONLYOFFICE DocumentServer versions 4.0.3 through 7.3.2

Description A use after free issue in ONLYOFFICE DocumentServer allows remote attackers to run arbitrary code via a crafted JavaScript file. This issue is related to the JavaScript File Handler component and can be exploited by running a specially formed JavaScript file, enabling the attacker to execute arbitrary code.

Recommendations For versions 4.0.3 through 7.3.2, consider disabling the JavaScript File Handler component as a temporary workaround until a patch is available. Restrict access to the vulnerable component to minimize the risk of exploitation. Avoid using crafted JavaScript files in the affected versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.