CVE-2023-34939
Published: 22 June 2023
Summary
CVE-2023-34939 is a critical-severity Path Traversal (CWE-22) vulnerability in Onlyoffice Onlyoffice. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Onlyoffice Community Server versions before 12.5.2 contain a remote code execution vulnerability in the UploadProgress.ashx component. The issue is tracked as CVE-2023-34939 with a CVSS 3.1 score of 9.8 and is associated with CWE-22 path traversal, allowing unauthenticated network attackers to achieve full confidentiality, integrity, and availability impact.
An attacker can send crafted requests directly to the exposed UploadProgress.ashx endpoint without authentication or user interaction, enabling arbitrary code execution on the server. Public proof-of-concept code demonstrates successful exploitation of the path traversal flaw to reach RCE.
The vendor addressed the flaw in Community Server 12.5.2, as noted in the project changelog. The current EPSS score of 0.1278 shows no material increase from its recorded peak.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-38978
Vulnerability details
Onlyoffice Community Server before v12.5.2 was discovered to contain a remote code execution (RCE) vulnerability via the component UploadProgress.ashx.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.