CVE-2021-32745 HIGH

CVE-2021-32745: Reflected Cross-Site-Scripting vulnerability

Vendor Collaboraonline
Product online
Weakness CWE-79 · XSS
Published July 21, 2021
Last update August 3, 2024

CVSS base score

7.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Collabora Online is a collaborative online office suite. A reflected XSS vulnerability was found in Collabora Online prior to version 6.4.9-5. An attacker could inject unescaped HTML into a variable as they created the Collabora Online iframe, and execute scripts inside the context of the Collabora Online iframe. This would give access to a small set of user settings stored in the browser, as well as the session's authentication token which was also passed in at iframe creation time. The issue is patched in Collabora Online 6.4.9-5. Collabora Online 4.2 is not affected.

Key dates

02Disclosure timeline

July 21, 2021 CVE published
August 3, 2024 Record updated