CVE-2025-68935 is a cross-site scripting (XSS) vulnerability identified in ONLYOFFICE Document Server versions prior to 9.2.1. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. Specifically, the issue exists in the Font field within the Multilevel list settings window of the Document Server interface. An attacker with low privileges (PR:L) can exploit this vulnerability remotely (AV:N) without requiring user interaction (UI:N). The vulnerability allows injection of malicious scripts that execute in the context of the victim's browser session, potentially leading to unauthorized access to sensitive information or manipulation of document content. The CVSS 3.1 vector indicates a scope change (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. The impact includes limited confidentiality and integrity loss but no availability impact. Although no known exploits are reported in the wild, the vulnerability poses a risk in collaborative document environments where ONLYOFFICE is deployed. The lack of a patch link suggests that a fix may be forthcoming or pending release. The vulnerability highlights the importance of proper input validation and output encoding in web applications, especially those handling rich document editing features.

For European organizations, the exploitation of this XSS vulnerability could lead to unauthorized disclosure of sensitive document data and potential manipulation of document content, undermining trust in collaborative workflows. Confidentiality impact is limited but significant in environments handling sensitive or regulated information, such as legal, financial, or governmental sectors. Integrity loss could result in altered documents without detection, affecting decision-making and compliance. Since the vulnerability requires low privileges but no user interaction, attackers who gain limited access to the Document Server interface could escalate their impact. The absence of availability impact reduces the risk of service disruption but does not diminish the threat to data security. Organizations relying on ONLYOFFICE Document Server for internal or external collaboration are at risk, especially if the server is internet-facing or accessible by multiple users. The medium severity rating suggests prioritization in patch management cycles, particularly in sectors with strict data protection regulations like GDPR.

European organizations should implement the following specific mitigations: 1) Monitor ONLYOFFICE vendor communications closely and apply the security update to version 9.2.1 or later immediately upon release. 2) Until patched, restrict access to the Document Server interface to trusted users and networks, employing network segmentation and VPNs where possible. 3) Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting the Font field or multilevel list settings. 4) Enforce Content Security Policy (CSP) headers to limit script execution sources and reduce XSS impact. 5) Conduct regular security audits and penetration tests focusing on input validation and output encoding in document management systems. 6) Educate users and administrators about the risks of XSS and encourage vigilance for unusual document behavior or interface anomalies. 7) Review and harden authentication and authorization controls to minimize the risk of low-privilege account compromise. 8) Log and monitor Document Server access and input fields for anomalous activity indicative of exploitation attempts.