CVE-2024-47222

Name of the Vulnerable Software and Affected Versions New Cloud MyOffice SDK Collaborative Editing Server versions 2.2.2 through 2.8

Description The issue is related to the implementation of the WOPI protocol in the MyOffice SDK, which lacks sufficient checking of incoming requests. This allows a remote attacker to manipulate server-side requests, leading to a Server-Side Request Forgery (SSRF) vulnerability. The SSRF vulnerability can be exploited via manipulation of requests from external document storage using the MS-WOPI protocol.

Recommendations For versions 2.2.2 through 2.8, consider restricting access to the MS-WOPI protocol to minimize the risk of exploitation until a patch is available. As a temporary workaround, disabling the collaborative editing feature may also help mitigate the risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.