CVE-2025-10254 is a cross-site scripting (XSS) vulnerability identified in Ascensio System SIA's OnlyOffice product, affecting versions up to 12.7.0. The vulnerability resides in the SVG Image Handler component, specifically in the file /Products/Projects/Messages.aspx. The flaw arises from improper processing of input data related to SVG images, allowing an attacker to inject malicious scripts that execute in the context of the victim's browser. This can be triggered remotely without authentication, although user interaction is required to trigger the malicious payload (e.g., by viewing a crafted message). The vulnerability has a CVSS 4.0 base score of 5.1, indicating a medium severity level. The vector string indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges), user interaction required (UI:P), and limited impact on integrity (VI:L) with no impact on confidentiality or availability. The vendor has acknowledged the issue and is working on patches, but no patch links are currently available. No known exploits are reported in the wild yet, but public exploit details exist, increasing the risk of exploitation. This vulnerability could be leveraged to steal session cookies, perform actions on behalf of authenticated users, or conduct phishing attacks within the OnlyOffice environment.

For European organizations using OnlyOffice versions up to 12.7.0, this XSS vulnerability poses a risk of session hijacking, unauthorized actions, and potential lateral movement within internal networks. Since OnlyOffice is often used for document collaboration and project management, exploitation could lead to exposure of sensitive project data or manipulation of project communications. The medium severity suggests that while the impact is not catastrophic, it can facilitate further attacks or data leakage. European organizations in sectors such as finance, government, and critical infrastructure that rely on OnlyOffice for collaboration may face reputational damage, compliance violations (e.g., GDPR), and operational disruptions if attackers exploit this vulnerability. The requirement for user interaction means phishing or social engineering may be used to trigger the exploit, increasing the risk in environments with less security awareness.

Organizations should prioritize upgrading OnlyOffice to a patched version once available from Ascensio System SIA. Until patches are released, administrators should implement strict input validation and sanitization on the affected SVG Image Handler component if possible. Deploying web application firewalls (WAFs) with custom rules to detect and block suspicious SVG payloads or script injections targeting /Products/Projects/Messages.aspx can reduce exposure. User training to recognize phishing attempts and suspicious links is critical to mitigate user interaction risks. Additionally, restricting OnlyOffice access to trusted networks and enforcing multi-factor authentication (MFA) can limit the impact of session hijacking. Monitoring logs for unusual activity related to OnlyOffice message components and conducting regular vulnerability scans will help detect exploitation attempts early.