CVE-2021-3199
CRITICALONLYOFFICE Document Server < 5.6.3 - Path Traversal and Remote Code Execution via Image Upload Parameter
Title source: llmDescription
Directory traversal with remote code execution can occur in /upload in ONLYOFFICE Document Server before 5.6.3, when JWT is used, via a /.. sequence in an image upload parameter.
References (3)
Core 3
Core References
Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/ONLYOFFICE/DocumentServer/blob/903fe5ab7a275bd69c3c3346af2d21cf87ebeabf/CHANGELOG.md#563
Exploit, Third Party Advisory x_refsource_misc
https://github.com/nola-milkin/poc_exploits/blob/master/CVE-2021-3199/poc_uploadImageFile.py
Exploit, Third Party Advisory x_refsource_misc
https://github.com/moehw/poc_exploits/tree/master/CVE-2021-3199/poc_uploadImageFile.py
Scores
CVSS v3
9.8
EPSS
0.0822
EPSS Percentile
94.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (1)
onlyoffice/document_server
< 5.6.3
Published
Jan 26, 2021
Tracked Since
Feb 18, 2026