CVE-2020-12432

Published: Jul 21, 2020

Modified: Aug 4, 2024

PUBLISHED

Description

The WOPI API integration for Vereign Collabora CODE through 4.2.2 does not properly restrict delivery of JavaScript to a victim's browser, and lacks proper MIME type access control, which could lead to XSS that steals account credentials via cookies or local storage. The attacker must first obtain an API access token, which can be accomplished if the attacker is able to upload a .docx or .odt file. The associated API endpoints for exploitation are /wopi/files and /wopi/getAccessToken.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://www.youtube.com/watch?v=_tkRnSr6yc0

x_refsource_MISC

https://github.com/d7x/CVE-2020-12432

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2020-12432

Description

Affected Products

References