CVE-2025-10255 MEDIUM

CVE-2025-10255: Ascensio System SIA OnlyOffice Comment Messages.aspx cross site scripting

Vendor Ascensio System Sia
Product OnlyOffice
Weakness CWE-79 · XSS
Published September 11, 2025
Last update September 11, 2025
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was determined in Ascensio System SIA OnlyOffice up to 12.7.0. Impacted is an unknown function of the file /Products/Projects/Messages.aspx of the component Comment Handler. Executing manipulation can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was informed early about this issue and replied: "We are already working on this case, and the issues will be resolved in one of the upcoming patches."

Key dates

02Disclosure timeline

September 11, 2025 CVE published
September 11, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-30850 WordPress Dr. Flex plugin <= 2.0.0 - Cross Site Scripting (XSS) vulnerability CVE-2023-50827 WordPress Accredible Certificates & Open Badges Plugin <= 1.4.8 is vulnerable to Cross Site Scripting (XSS) CVE-2024-13399 Gosign – Posts Slider Block <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-64220 WordPress Rey Core plugin <= 3.1.8 - Cross Site Scripting (XSS) vulnerability CVE-2024-29814 WordPress Exchange Rates Widget plugin <= 1.4.0 - Cross Site Scripting (XSS) vulnerability