Vulnerability DatabaseCVE-2023-34939

CVE-2023-34939:
Homebrew vulnerability analysis and mitigation

Overview

A remote code execution (RCE) vulnerability was discovered in Onlyoffice Community Server versions before v12.5.2. The vulnerability, tracked as CVE-2023-34939, exists in the UploadProgress.ashx component and allows unauthorized attackers to execute arbitrary code on affected systems (POC Advisory).

Technical details

The vulnerability is located in the UploadProgress.ashx component, which handles file uploads. The issue stems from improper limitation of a pathname to a restricted directory (Path Traversal). The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The only prerequisite for exploitation is the existence of a thread in the forum module (NVD).

Impact

This vulnerability allows unauthorized attackers to execute arbitrary code on the affected system by sending specially crafted requests to the server. The successful exploitation could lead to complete system compromise, as the attacker can gain full control over the affected server (POC Advisory).

Mitigation and workarounds

The vulnerability has been fixed in Onlyoffice Community Server version 12.5.2. Organizations using affected versions should upgrade to v12.5.2 or later immediately to prevent potential attacks (Release Notes).

Additional resources

Source: This report was generated using AI

Related Homebrew vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-21693	HIGH	8.8	Homebrew	iccdev	No	Yes	Jan 07, 2026
CVE-2026-21692	HIGH	8.8	Homebrew	iccdev	No	Yes	Jan 07, 2026
CVE-2025-69262	HIGH	7.8	JavaScript	pnpm	No	Yes	Jan 07, 2026
CVE-2026-21885	MEDIUM	6.5	NixOS	miniflux	No	Yes	Jan 08, 2026
CVE-2026-21691	MEDIUM	6.5	Homebrew	iccdev	No	Yes	Jan 07, 2026