CVE-2025-10255

Name of the Vulnerable Software and Affected Versions: OnlyOffice versions through 12.7.0

Description: A vulnerability exists in Ascensio System SIA OnlyOffice that can lead to cross site scripting. The issue is located in the Comment Handler component, specifically within the file /Products/Projects/Messages.aspx and an unknown function. The attack can be launched remotely. The exploit has been publicly disclosed.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.