CVE-2021-43448
MEDIUM
Published Jan 23, 20233y ago · Modified Jun 17, 20262w ago
5.3 CVSS 3.1
Published Jan 23, 2023 3y ago
Last Modified Jun 17, 2026 2w ago
Description
ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Improper Input Validation. A lack of input validation can allow an attacker to spoof the names of users who interact with a document, if the document id is known.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity High
Availability None
Threat Intelligence
No active exploitation signals — not in CISA KEV and no EPSS score yet.
Exploit & Patch Status
Public Exploit Known
No Patch Available
Weaknesses 1
CWE-20 Improper Input Validation Validation
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| onlyoffice | server | * | ≤7.0.0.49 |
References 3
- github.com https://github.com/ONLYOFFICE/server
- labs.nettitude.com https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution/
- onlyoffice.com https://www.onlyoffice.com/
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.