CVE-2021-43817 HIGH

CVE-2021-43817: Reflected Cross-Site-Scripting vulnerability in Collabora Online

Vendor Collaboraonline
Product online
Weakness CWE-79 · XSS
Published December 13, 2021
Last update August 4, 2024

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N

What the vulnerability does

01Description

Collabora Online is a collaborative online office suite based on LibreOffice technology. In affected versions a reflected XSS vulnerability was found in Collabora Online. An attacker could inject unescaped HTML into a variable as they created the Collabora Online iframe, and execute scripts inside the context of the Collabora Online iframe. This would give access to a small set of user settings stored in the browser, as well as the session's authentication token which was also passed in at iframe creation time. Users should upgrade to Collabora Online 6.4.16 or higher or Collabora Online 4.2.20 or higher. Collabora Online Development Edition 21.11 is not affected.

Key dates

02Disclosure timeline

December 13, 2021 CVE published
August 4, 2024 Record updated