CVE-2025-10254 | Ascensio System SIA OnlyOffice up to 12.7.0 SVG Image Messages.aspx cross site scripting

A vulnerability has been found in Ascensio System SIA OnlyOffice up to 12.7.0 and classified as problematic. This issue affects some unknown processing of the file /Products/Projects/Messages.aspx of the component SVG Image Handler. Performing manipulation results in cross site scripting.

This vulnerability was named CVE-2025-10254. The attack may be initiated remotely. In addition, an exploit is available.

The vendor was informed early about this issue and replied: “We are already working on this case, and the issues will be resolved in one of the upcoming patches.”

CVE-2025-10254 | Ascensio System SIA OnlyOffice up to 12.7.0 SVG Image Messages.aspx cross site scripting

Post correlati

CVE-2024-7162 | SeaCMS 12.9/13.0 post.php yzm cross site scripting (Issue 29)

CVE-2024-41250 | Kashipara Responsive School Management System 3.2.0 Student Details /smsa/view_students.php access control

CVE-2024-22093 | F5 BIG-IP up to 15.1.8/16.1.3/17.1.0 iControl REST Endpoint command injection (K000137522)

CVE-2024-13747 | CidCode WooMail Plugin up to 3.0.34 on WordPress template_delete_saved authorization