Now you need to configure your reverse proxy to point to port 9980. opt/collabora-mydomain) curl -fsSL | sudo bash /dev/stdin Now you can create a systemd service to autostart by using our script from Create a systemd service for your docker-compose project in 10 seconds. You need to change the password and the domain! COLLABORA_USERNAME=adminĬOLLABORA_PASSWORD=veecheit0Phophiesh1fahPah0Wue3 If you wish to apply for an invitation to the bug bounty program, contact us at and specify your nickname, associated email, and the details about your findings.Create this docker-compose.yml, e.g. To avoid the security risks, we recommend following our Disclosure Policy. Submission of the vulnerabilities to ONLYOFFICE security team is done through ONLYOFFICE HackerOne program.
How to report vulnerabilities to ONLYOFFICE team The detailed scenario is described in the original report. Possible impact may be impersonation of a privileged user within organization’s portal by stealing the user’s session cookie or executing custom commands on behalf of the victim by hooking their browser. When the document is saved within a document management system and the user performs a search action within document content in ONLYOFFICE Docs, the action triggers the execution of the XSS in the user’s browser. The intruder shares a malicious document that contains a cross-site scripting (XSS) code. Generally speaking, it is a Multiple DMS XSS vulnerability that allows the intruder to retrieve information about the targeted user’s client. It’s all open-source, always improving and as more features come to Collabora, they come to the Ubuntu Appliance so you can benefit from them right away. About CVE-2022-47412ĬVE-2022-47412, an instance of CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), was initially discovered by Rapid7 researcher Matthew Kienow in February 2023. A LibreOffice-based content office suite similar to Microsoft Office, it lets you edit and create office documents in Nextcloud, on your own hardware, under your control. In fact, it was executable through ONLYOFFICE Docs.
Researchers initially associated the vulnerability with ONLYOFFICE Workspace code. Most importantly, CVE-2022-47412 vulnerability was successfully fixed. You can access full changelog on our GitHub. Version 7.3.3 includes numerous fixes in all editors, mobile apps, ONLYOFFICE Docs backend, and plugins. In this hotfix, we eliminated numerous bugs and successfully patched the recently discovered CVE-2022-47412 vulnerability.
0 kommentar(er)
