Impact
A reflected XSS vulnerability was found in Collabora Online. The host_session_id query/form parameter was substituted into the editor HTML page without HTML encoding, unlike other parameters which are routed through the existing variable-encoding mechanism. An attacker who could induce a victim to load a crafted URL could inject HTML into the editor page and, in the absence of a Content Security Policy, execute scripts in the context of the Collabora Online iframe. This exposes the session's authentication token and the page contents to the attacker.
Patches
Users should upgrade to Collabora Online 25.04.11 or higher; Collabora Online 24.04.18 or higher.
Workarounds
Ensure that any reverse proxy in front of Collabora Online does not strip the Content Security Policy header sent by coolwsd.
Credits
Thanks to @cristibtz for reporting this flaw.
For more information
If you have any questions or comments about this advisory:
cristibtz Reporter
Impact
A reflected XSS vulnerability was found in Collabora Online. The host_session_id query/form parameter was substituted into the editor HTML page without HTML encoding, unlike other parameters which are routed through the existing variable-encoding mechanism. An attacker who could induce a victim to load a crafted URL could inject HTML into the editor page and, in the absence of a Content Security Policy, execute scripts in the context of the Collabora Online iframe. This exposes the session's authentication token and the page contents to the attacker.
Patches
Users should upgrade to Collabora Online 25.04.11 or higher; Collabora Online 24.04.18 or higher.
Workarounds
Ensure that any reverse proxy in front of Collabora Online does not strip the Content Security Policy header sent by coolwsd.
Credits
Thanks to @cristibtz for reporting this flaw.
For more information
If you have any questions or comments about this advisory: