CVE-2024-44085 is a medium-severity cross-site scripting (XSS) vulnerability identified in ONLYOFFICE Docs versions before 8.1.0. The vulnerability stems from the use of a GeneratorFunction object in conjunction with an immediately-invoked function expression (IIFE) within macros, which allows malicious actors to inject and execute arbitrary JavaScript code in the context of the user’s browser session. This issue is a regression caused by an incorrect remediation of earlier vulnerabilities CVE-2021-43446 and CVE-2023-50883, indicating that the prior fixes did not fully address the underlying problem. The vulnerability is exploitable remotely over the network without requiring authentication, but it does require user interaction, such as opening a malicious document containing the crafted macro. The CVSS 3.1 base score is 6.1, reflecting a network attack vector, low attack complexity, no privileges required, user interaction required, and a scope change with partial impact on confidentiality and integrity but no impact on availability. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation), which is a common XSS classification. No public exploits have been reported yet, but the presence of this flaw in a widely used document collaboration platform poses a risk of targeted attacks or phishing campaigns leveraging malicious macros. The lack of an official patch link suggests that users should monitor ONLYOFFICE’s advisories closely and apply updates promptly once released.

The impact of CVE-2024-44085 on organizations worldwide includes potential unauthorized script execution within the context of ONLYOFFICE Docs users’ browsers. This can lead to partial disclosure of sensitive information (confidentiality impact) and unauthorized modification of document content or session data (integrity impact). While availability is not affected, the ability to execute arbitrary scripts can facilitate further attacks such as session hijacking, credential theft, or lateral movement within an organization’s network. Since the vulnerability requires user interaction, social engineering or phishing campaigns could be used to trick users into opening malicious documents. Organizations relying on ONLYOFFICE Docs for document collaboration, especially those handling sensitive or regulated data, face increased risk of data breaches or compliance violations. The regression nature of this vulnerability also raises concerns about the robustness of the vendor’s patching process, potentially undermining user trust and increasing the likelihood of exploitation once a reliable exploit becomes available.

To mitigate CVE-2024-44085, organizations should: 1) Immediately monitor ONLYOFFICE’s official channels for patches or updates addressing this vulnerability and apply them promptly once available, ideally upgrading to version 8.1.0 or later. 2) Implement strict macro security policies, including disabling macros by default and enabling them only from trusted sources. 3) Educate users about the risks of opening documents with macros from untrusted or unknown origins to reduce the likelihood of successful social engineering attacks. 4) Employ web application firewalls (WAFs) or endpoint security solutions capable of detecting and blocking suspicious script execution patterns related to XSS attacks. 5) Conduct regular security audits and penetration testing focused on document collaboration platforms to identify and remediate similar vulnerabilities proactively. 6) Consider network segmentation and least privilege principles to limit the impact of any successful exploitation within the internal environment. 7) Monitor logs and network traffic for unusual activity indicative of exploitation attempts or lateral movement following a compromise.