CVE-2025-68917 is a cross-site scripting (XSS) vulnerability identified in ONLYOFFICE Document Server versions prior to 9.2.1. The vulnerability stems from improper neutralization of user input in the textarea element of the comment editing form within the Document Server component. Specifically, the application fails to adequately sanitize or encode input before rendering it in the web page, allowing an attacker with at least low-level privileges (PR:L) to inject malicious JavaScript code. The vulnerability does not require user interaction (UI:N) and can be exploited remotely over the network (AV:N). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting other users or components within the Document Server environment. The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with partial impact on confidentiality and integrity but no impact on availability. Although no known exploits are reported in the wild, the vulnerability could be leveraged to steal session tokens, perform unauthorized actions on behalf of users, or conduct phishing attacks within the context of ONLYOFFICE collaborative document editing. The lack of a patch link indicates that a fix may not yet be publicly available, emphasizing the need for vigilance and interim mitigations. ONLYOFFICE Document Server is widely used in enterprise and government sectors for collaborative document editing, making this vulnerability relevant for organizations relying on this platform for secure document workflows.

For European organizations, exploitation of this XSS vulnerability could lead to unauthorized disclosure of sensitive information such as session cookies or authentication tokens, enabling attackers to impersonate legitimate users. This can compromise document confidentiality and integrity, potentially leading to data leakage or unauthorized document modifications. Since ONLYOFFICE is often deployed in collaborative environments, attackers might leverage this vulnerability to conduct targeted phishing or social engineering attacks within the organization. Although availability is not impacted, the breach of trust and data integrity can disrupt business operations and damage reputations. Organizations in sectors handling sensitive or regulated data (e.g., finance, healthcare, government) are particularly at risk. The medium severity score suggests a moderate but actionable threat, especially in environments where user privileges are not tightly controlled or where comment editing is widely accessible. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future attacks once exploit code becomes available.

Organizations should prioritize upgrading ONLYOFFICE Document Server to version 9.2.1 or later once the patch is released to fully remediate the vulnerability. Until then, administrators can implement several practical mitigations: restrict access to the comment editing feature to trusted users only, minimizing the attack surface; deploy web application firewalls (WAFs) with rules specifically designed to detect and block XSS payloads targeting the comment textarea; enforce strict Content Security Policy (CSP) headers to limit the execution of unauthorized scripts; conduct regular security awareness training to help users recognize suspicious behavior or phishing attempts that may leverage this vulnerability; and monitor logs for unusual activity related to comment submissions. Additionally, review and tighten user privilege assignments to ensure that only necessary users have comment editing rights. Regular vulnerability scanning and penetration testing focused on web application security can help detect similar issues proactively.