CVE-2025-68935 identifies a Cross-site Scripting (XSS) vulnerability classified under CWE-79 in ONLYOFFICE Document Server versions prior to 9.2.1. The vulnerability specifically exists in the handling of the Font field within the Multilevel list settings window, where user input is not properly sanitized or neutralized before being rendered on a web page. This improper input handling allows an attacker with low privileges (PR:L) to inject malicious JavaScript code that executes in the context of other users’ browsers without requiring any user interaction (UI:N). The vulnerability has a CVSS 3.1 base score of 6.4, indicating a medium severity level, with network attack vector (AV:N), low attack complexity (AC:L), partial impact on confidentiality and integrity (C:L/I:L), no impact on availability (A:N), and scope change (S:C) indicating that the vulnerability affects resources beyond the initially vulnerable component. Exploitation could allow attackers to steal session tokens, manipulate document content, or perform actions on behalf of other users within the Document Server environment. Although no known exploits are currently reported in the wild, the vulnerability poses a risk to organizations using ONLYOFFICE for collaborative document editing, especially where multiple users access the Document Server via browsers. The vulnerability’s presence in a widely used document collaboration platform underscores the importance of timely patching and secure input validation practices.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive document content or user session information, undermining confidentiality and integrity within collaborative environments. Attackers exploiting this XSS flaw could hijack user sessions, inject malicious content into documents, or manipulate user interface elements, potentially facilitating further attacks such as phishing or privilege escalation. Sectors with high reliance on document collaboration platforms, including government agencies, financial institutions, and large enterprises, may face operational disruptions and reputational damage if exploited. Given the scope change in the CVSS vector, the impact could extend beyond the immediate vulnerable component, affecting integrated systems or services relying on ONLYOFFICE Document Server. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure. European data protection regulations such as GDPR also heighten the consequences of data breaches resulting from such vulnerabilities.

Organizations should immediately upgrade ONLYOFFICE Document Server to version 9.2.1 or later, where this vulnerability is addressed. In addition to patching, implement strict input validation and sanitization on all user-supplied data fields, particularly those related to document formatting and settings. Deploy Content Security Policies (CSP) to restrict the execution of unauthorized scripts within the Document Server web interface. Conduct regular security audits and penetration testing focused on web application input handling. Limit user privileges to the minimum necessary to reduce the risk of exploitation by low-privilege attackers. Monitor logs for unusual activity related to document editing or font field inputs. Educate users about the risks of XSS and encourage cautious behavior when interacting with document collaboration tools. Finally, consider network segmentation and web application firewalls (WAF) to detect and block malicious payloads targeting the Document Server.