CVE-2025-10255

low-risk
Published 2025-09-11

A vulnerability was determined in Ascensio System SIA OnlyOffice up to 12.7.0. Impacted is an unknown function of the file /Products/Projects/Messages.aspx of the component Comment Handler. Executing manipulation can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was informed early about this issue and replied: "We are already working on this case, and the issues will be resolved in one of the upcoming patches."

Do I need to act?

-
0.03% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.5/10 Low
NETWORK / LOW complexity

References (6)

https://hkohi.ca/vulnerability/21
https://vuldb.com/?ctiid.323615
https://vuldb.com/?id.323615
https://vuldb.com/?submit.635871
https://hkohi.ca/vulnerability/21
https://vuldb.com/?submit.635871
21
/ 100
low-risk
Severity 16/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal