Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
The WOPI API integration for Vereign Collabora CODE through 4.2.2 does not properly restrict delivery of JavaScript to a victim's browser, and lacks proper MIME type access control, which could lead to XSS that steals account credentials via cookies or local storage. The attacker must first obtain an API access token, which can be accomplished if the attacker is able to upload a .docx or .odt file. The associated API endpoints for exploitation are /wopi/files and /wopi/getAccessToken.
CVSS Information
N/A
Vulnerability Type
N/A
Vulnerability Title
Collabora CODE WOPI API 跨站脚本漏洞
Vulnerability Description
Collabora CODE是英国Collabora公司的一款协作办公解决方案。该产品支持在线文档编辑和查看等功能。WOPI API是其中的一个WOPI(Web应用程序开放平台接口协议)API。 Collabora CODE 4.2.2及之前版本中的WOPI API集成存在安全漏洞,该漏洞源于程序没有正确限制发往用户浏览器的JavaScript代码并且缺少适当的MIME类型访问控制。攻击者可通过获取API的访问令牌利用该漏洞获取帐户凭据。
CVSS Information
N/A
Vulnerability Type
N/A