CVE-2025-5301

Name of the Vulnerable Software and Affected Versions ONLYOFFICE Docs (DocumentServer) versions 8.3.1 and earlier

Description ONLYOFFICE Docs (DocumentServer) is susceptible to a reflected cross-site scripting (XSS) issue when handling files through the WOPI protocol. An attacker can inject malicious scripts by sending specially crafted HTTP POST requests. These requests are then reflected in the server’s HTML response, potentially allowing for the execution of arbitrary code in the context of a user’s browser. The issue stems from a lack of proper sanitization of the web page structure.

Recommendations ONLYOFFICE Docs (DocumentServer) versions prior to 8.3.1 are affected. Update ONLYOFFICE Docs (DocumentServer) to a version later than 8.3.1.