CVE-2023-50883: 
ONLYOFFICE DocumentServer vulnerability analysis and mitigation

ONLYOFFICE Docs before 8.0.1 contains a Cross-Site Scripting (XSS) vulnerability identified as CVE-2023-50883. The vulnerability exists in the macro feature where a sandbox escape is possible by directly calling the constructor of the Function object through an immediately-invoked function expression (IIFE). This issue exists because of an incomplete fix for CVE-2021-43446 (NIST NVD, SYSS Advisory).

The vulnerability stems from improper sandboxing and sanitizing of user input in the macro function. Macros are defined as an immediately invoked function expression (IIFE) in the form (function(){})(). When this IIFE is passed to the JavaScript eval() function inside a sandboxing method, the sandbox can be escaped by directly calling the constructor of the Function object. This works because the Function constructor creates functions that execute in the global scope, thereby escaping the local scope of the sandboxing method (SYSS Advisory).

The vulnerability allows attackers to execute arbitrary JavaScript code in the context of the application by escaping the macro sandbox. This could potentially lead to unauthorized access to sensitive information, session hijacking, or other malicious actions typically associated with XSS attacks (SYSS Advisory).

The vulnerability was fixed in ONLYOFFICE version 8.0.1. Organizations are recommended to update to this version or later. Alternatively, organizations can remove or disable the macro plug-in feature to mitigate the risk (SYSS Advisory).