CVE-2025-10255
LOWOnlyOffice < 12.7.0 - Cross-Site Scripting in Comment Handler
Title source: llmDescription
A vulnerability was determined in Ascensio System SIA OnlyOffice up to 12.7.0. Impacted is an unknown function of the file /Products/Projects/Messages.aspx of the component Comment Handler. Executing manipulation can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was informed early about this issue and replied: "We are already working on this case, and the issues will be resolved in one of the upcoming patches."
References (4)
Core 4
Core References
Permissions Required, VDB Entry vdb-entry
https://vuldb.com/?id.323615
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.323615
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.635871
Various Sources exploit
https://hkohi.ca/vulnerability/21
Scores
CVSS v3
3.5
EPSS
0.0029
EPSS Percentile
20.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
CWE-94
Status
published
Products (8)
Ascensio System SIA/OnlyOffice
12.0
Ascensio System SIA/OnlyOffice
12.1
Ascensio System SIA/OnlyOffice
12.2
Ascensio System SIA/OnlyOffice
12.3
Ascensio System SIA/OnlyOffice
12.4
Ascensio System SIA/OnlyOffice
12.5
Ascensio System SIA/OnlyOffice
12.6
Ascensio System SIA/OnlyOffice
12.7.0
Published
Sep 11, 2025
Tracked Since
Feb 18, 2026