PT-2023-8434 · Document Foundation+2 · Libreoffice+2
Hightimar
·
Published
2023-12-01
·
Updated
2023-12-06
·
CVE-2023-48314
CVSS v3.1
7.1
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Collabora Online - Built-in CODE Server (richdocumentscode) versions prior to 23.5.403
Description
The issue is related to the proxy.php component of Collabora Online, which is a collaborative online office suite based on LibreOffice technology. This component is vulnerable to attack, potentially allowing a remote attacker to conduct a cross-site scripting (XSS) attack due to inadequate protection of the web page structure. Users of Nextcloud with the Collabora Online Built-in CODE Server app are at risk. There are no known workarounds for this issue.
Recommendations
For Collabora Online - Built-in CODE Server (richdocumentscode) versions prior to 23.5.403, upgrade to release 23.5.403 to fix the vulnerability. As a temporary workaround, consider restricting access to the
proxy.php endpoint until the upgrade is applied.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Collabora Online
Libreoffice
Nextcloud