CVE-2025-10255 is a cross-site scripting (XSS) vulnerability identified in Ascensio System SIA's OnlyOffice product, specifically affecting versions 12.0 through 12.7.0. The vulnerability resides in an unspecified function within the /Products/Projects/Messages.aspx file, part of the Comment Handler component. This flaw allows an attacker to inject malicious scripts that execute in the context of the victim's browser when interacting with the affected component. The vulnerability can be exploited remotely without requiring authentication, although user interaction is necessary to trigger the malicious payload. The CVSS 4.0 base score is 5.1, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges required, but user interaction is needed. The impact primarily affects the integrity of the victim's session and potentially confidentiality if sensitive data is accessible via the injected script. The vendor has acknowledged the issue and is working on patches, but no official patch has been released yet, and no known exploits are currently observed in the wild. The vulnerability's exploitation could lead to session hijacking, defacement, or redirection to malicious sites, impacting users of OnlyOffice's project messaging functionality.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on OnlyOffice for collaborative document editing and project management. Successful exploitation could allow attackers to execute arbitrary scripts in users' browsers, potentially leading to session hijacking, theft of sensitive information, or spreading malware within the organization. This could disrupt business operations, damage reputation, and lead to compliance issues under regulations like GDPR if personal data is compromised. Since OnlyOffice is used by enterprises, educational institutions, and government agencies, the risk extends to critical sectors. The remote exploitation capability without authentication increases the attack surface, particularly in environments where OnlyOffice is exposed to the internet or accessible by multiple users. The need for user interaction somewhat limits automated exploitation but does not eliminate risk, especially in phishing or social engineering scenarios.

Organizations should immediately review their OnlyOffice deployments to identify if affected versions (12.0 to 12.7.0) are in use. Until a vendor patch is released, practical mitigations include: 1) Implementing strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing OnlyOffice; 2) Applying input validation and output encoding at the application or web server level if customization is possible; 3) Restricting access to the OnlyOffice project messaging component to trusted users and networks, ideally behind VPNs or internal networks; 4) Educating users about the risks of clicking on suspicious links or messages within OnlyOffice; 5) Monitoring web server logs for unusual requests targeting the Messages.aspx endpoint; 6) Preparing for rapid patch deployment once the vendor releases an update. Additionally, organizations should consider deploying web application firewalls (WAFs) with rules to detect and block typical XSS payloads targeting OnlyOffice components.