CVE-2021-43448 - Vulnerability Details - OpenCVE

ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Improper Input Validation. A lack of input validation can allow an attacker to spoof the names of users who interact with a document, if the document id is known.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Onlyoffice	Server

Configuration 1 [-]

cpe:2.3:a:onlyoffice:server:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/ONLYOFFICE/server
https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution/
https://www.onlyoffice.com/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-01-23T00:00:00

Updated: 2024-08-04T03:55:29.264Z

Reserved: 2021-11-08T00:00:00

Link: CVE-2021-43448

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-01-23T15:15:13.450

Modified: 2024-11-21T06:29:14.710

Link: CVE-2021-43448

Redhat

No data.

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:onlyoffice:server:*:*:*:*:*:*:*:*", "matchCriteriaId": "F20D43B1-2433-412A-8D51-7D04C974D445", "versionEndIncluding": "7.0.0.49", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Improper Input Validation. A lack of input validation can allow an attacker to spoof the names of users who interact with a document, if the document id is known."}, {"lang": "es", "value": "Todas las versiones de ONLYOFFICE con fecha posterior al 08/11/2021 son vulnerables a una validaci\u00f3n de entrada incorrecta. La falta de validaci\u00f3n de entrada puede permitir que un atacante falsifique los nombres de los usuarios que interact\u00faan con un documento, si se conoce la identificaci\u00f3n del documento."}], "id": "CVE-2021-43448", "lastModified": "2024-11-21T06:29:14.710", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-23T15:15:13.450", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/ONLYOFFICE/server"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution/"}, {"source": "cve@mitre.org", "tags": ["Product", "Vendor Advisory"], "url": "https://www.onlyoffice.com/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/ONLYOFFICE/server"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://labs.nettitude.com/blog/exploiting-onlyoffice-web-sockets-for-unauthenticated-remote-code-execution/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Vendor Advisory"], "url": "https://www.onlyoffice.com/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}