CVE-2025-68936 identifies a Cross-site Scripting (XSS) vulnerability in ONLYOFFICE Document Server versions prior to 9.2.1. The vulnerability stems from improper neutralization of user-supplied input in the Color theme name parameter during web page generation, classified under CWE-79. An attacker with low privileges (PR:L) can remotely exploit this issue over the network (AV:N) without requiring user interaction (UI:N). The vulnerability has a CVSS v3.1 base score of 6.4, indicating medium severity. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially vulnerable component. Successful exploitation allows injection of malicious scripts that execute in the context of the victim's browser, potentially leading to partial disclosure of sensitive information (C:L) and modification of data integrity (I:L), but does not impact system availability (A:N). No patches or exploits are currently publicly available, but the vulnerability is documented and should be addressed proactively. The vulnerability is particularly relevant for environments where ONLYOFFICE Document Server is used for collaborative document editing and sharing, as malicious scripts could be used to hijack sessions, steal credentials, or manipulate document content.

For European organizations, this vulnerability poses a moderate risk to confidentiality and integrity of sensitive documents and user sessions managed via ONLYOFFICE Document Server. Exploitation could enable attackers to steal authentication tokens, execute unauthorized actions on behalf of users, or inject misleading content into documents. This is especially critical for sectors handling sensitive or regulated data such as finance, healthcare, and government. The lack of availability impact reduces the risk of service disruption but does not diminish the potential for data breaches or reputational damage. Organizations relying on ONLYOFFICE for document collaboration across multiple users or departments may face increased risk of lateral movement or privilege escalation if attackers leverage this XSS flaw. Given the medium CVSS score and ease of exploitation, timely remediation is essential to prevent targeted attacks, particularly in environments with remote or hybrid workforces common in Europe.

1. Apply the official patch or upgrade ONLYOFFICE Document Server to version 9.2.1 or later as soon as it becomes available. 2. Restrict access to the Document Server to trusted networks and authenticated users only, minimizing exposure to untrusted actors. 3. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in browsers. 4. Deploy Web Application Firewalls (WAF) with rules specifically designed to detect and block XSS payloads targeting the Color theme name or similar input vectors. 5. Conduct regular security assessments and code reviews focusing on input validation and output encoding in web applications. 6. Educate users and administrators about the risks of XSS and encourage vigilance when interacting with document collaboration platforms. 7. Monitor logs and network traffic for unusual activities that could indicate exploitation attempts. 8. Consider isolating the Document Server environment or using containerization to limit the impact of potential compromises.