CVE-2022-24229: 
ONLYOFFICE DocumentServer vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in ONLYOFFICE Document Server Example before version 7.0.0. The vulnerability allows remote attackers to inject arbitrary HTML or JavaScript code through the /example/editor endpoint. The issue was identified and assigned CVE-2022-24229, with disclosure occurring in January 2022 (GitHub Issue).

The vulnerability exists in several parameters of the '/example/editor' path, specifically affecting the 'action', 'type', and 'lang' parameters. When these parameters receive malicious input, they fail to properly sanitize the data, allowing for the execution of arbitrary JavaScript code. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The successful exploitation of this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of the victim's browser session. This could potentially lead to theft of sensitive information, session hijacking, or other client-side attacks when users access the affected /example/editor endpoint.

The vulnerability was fixed in ONLYOFFICE Document Server version 7.0.0. Users running affected versions should upgrade to version 7.0.0 or later to mitigate this security risk. As a temporary workaround, it is recommended to close or disable the test example in Document Server if not required (GitHub Issue).