CVE-2025-10254
LOWOnlyOffice < 12.7.0 - Cross-Site Scripting via SVG Image Handler in Messages.aspx
Title source: llmDescription
A vulnerability was found in Ascensio System SIA OnlyOffice up to 12.7.0. This issue affects some unknown processing of the file /Products/Projects/Messages.aspx of the component SVG Image Handler. Performing manipulation results in cross site scripting. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was informed early about this issue and replied: "We are already working on this case, and the issues will be resolved in one of the upcoming patches."
References (4)
Core 4
Core References
Permissions Required, VDB Entry vdb-entry
https://vuldb.com/?id.323614
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.323614
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.635870
Various Sources exploit
https://hkohi.ca/vulnerability/20
Scores
CVSS v3
3.5
EPSS
0.0025
EPSS Percentile
15.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
CWE-94
Status
published
Products (8)
Ascensio System SIA/OnlyOffice
12.0
Ascensio System SIA/OnlyOffice
12.1
Ascensio System SIA/OnlyOffice
12.2
Ascensio System SIA/OnlyOffice
12.3
Ascensio System SIA/OnlyOffice
12.4
Ascensio System SIA/OnlyOffice
12.5
Ascensio System SIA/OnlyOffice
12.6
Ascensio System SIA/OnlyOffice
12.7.0
Published
Sep 11, 2025
Tracked Since
Feb 18, 2026