CVE-2025-68936 is a Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting ONLYOFFICE Document Server versions prior to 9.2.1. The vulnerability stems from improper input sanitization of the Color theme name parameter during web page generation. An attacker with low privileges (PR:L) can craft malicious input that is reflected in the web interface without requiring user interaction (UI:N). The vulnerability has a CVSS v3.1 base score of 6.4, indicating medium severity, with an attack vector of network (AV:N), low attack complexity (AC:L), and scope change (S:C), meaning the vulnerability affects components beyond the initially vulnerable component. Successful exploitation can lead to partial disclosure of confidential information and modification of data integrity, such as session hijacking or unauthorized actions performed in the context of the victim's browser session. The vulnerability does not impact system availability. No patches are linked yet, and no known exploits are reported in the wild, but the presence of this flaw in a widely used collaborative document platform poses a risk if left unmitigated.

For European organizations, exploitation of this XSS vulnerability could enable attackers to steal session tokens, perform unauthorized actions, or deliver further malware via the Document Server interface. This is particularly concerning for sectors relying heavily on collaborative document editing, such as government agencies, financial institutions, and large enterprises. Confidentiality and integrity of sensitive documents could be compromised, potentially leading to data breaches or manipulation of official records. Since the vulnerability requires only low privileges and no user interaction, insider threats or compromised accounts could be leveraged to escalate attacks. The medium severity suggests a moderate risk, but the scope change indicates potential for broader impact within affected environments. Organizations using ONLYOFFICE Document Server in Europe should assess their exposure and prioritize remediation to avoid targeted attacks, especially given the increasing reliance on remote collaboration tools.

1. Upgrade ONLYOFFICE Document Server to version 9.2.1 or later as soon as the patch becomes available to address the vulnerability directly. 2. Until patching is possible, restrict access to the Document Server interface to trusted users and networks using network segmentation and firewall rules. 3. Implement strict input validation and output encoding on all user-supplied inputs, particularly those related to UI customization such as Color theme names, to prevent injection of malicious scripts. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. 5. Monitor logs for unusual activities or attempts to inject scripts via theme names or other parameters. 6. Educate users and administrators about the risks of XSS and encourage vigilance when interacting with document server interfaces. 7. Consider deploying Web Application Firewalls (WAF) with rules tuned to detect and block XSS payloads targeting ONLYOFFICE Document Server.