CVE-2023-50883

Name of the Vulnerable Software and Affected Versions ONLYOFFICE Docs versions prior to 8.0.1

Description The issue is related to an incorrect fix for a previous problem, which allows for Cross-Site Scripting (XSS) due to a macro being an immediately-invoked function expression (IIFE). This enables a sandbox escape by directly calling the constructor of the Function object.

Recommendations For versions prior to 8.0.1, update to version 8.0.1 or later to resolve the issue. As a temporary workaround, consider restricting the execution of macros to minimize the risk of exploitation.