CVE-2024-44085: 
Homebrew vulnerability analysis and mitigation

ONLYOFFICE Docs before version 8.1.0 contains a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary JavaScript code via a GeneratorFunction Object attack against a macro. This vulnerability exists due to an incorrect fix for previous vulnerabilities CVE-2021-43446 and CVE-2023-50883, and is related to the use of an immediately-invoked function expression (IIFE) for a macro (NIST NVD, SySS Advisory).

The vulnerability stems from improper sandboxing and sanitizing of user input in the macro function. Macros are defined as immediately invoked function expressions (IIFE) in the form (function(){})(). While the application attempts to sandbox the IIFE using JavaScript's eval() function, the sandbox can be escaped by directly calling the constructor of the GeneratorFunction object. This object executes in the global scope, thereby bypassing the local scope restrictions of the sandboxing method (SySS Advisory). The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (NIST NVD).

When successfully exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in the context of the victim's session. This could potentially lead to theft of sensitive information, session hijacking, or other malicious actions within the user's browser context (SySS Advisory).

The vulnerability has been fixed in ONLYOFFICE version 8.1.0. Organizations using affected versions should update to version 8.1.0 or later. Alternatively, administrators can remove or disable the macro plug-in feature as a temporary workaround (SySS Advisory).