Collaboraonline Online vulnerabilities
16 known vulnerabilities affecting collaboraonline/online.
Total CVEs
16
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH4MEDIUM11
Vulnerabilities
Page 1 of 1
CVE-2025-66208P2CRITICALCVSS 9.8fixed in 25.04.7022025-12-03
CVE-2025-66208 [CRITICAL] CWE-78 CVE-2025-66208: Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of t
Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing features of Collabora Online. In versions prior to 25.04.702, Collabora Online has a Configuration-Dependent RCE (OS Command Injection) in richdocumentscode proxy. Users of Nextcloud with Collabora Online - Built-in CODE Server ap
nvd
CVE-2025-27791P3HIGHCVSS 8.3v>= 24.04.1.1, < 24.04.13.1v>= 23.05.0, < 23.05.19+1 more2025-04-15
CVE-2025-27791 [HIGH] CWE-23 CVE-2025-27791: Collabora Online is a collaborative online office suite based on LibreOffice technology. In versions
Collabora Online is a collaborative online office suite based on LibreOffice technology. In versions prior to 24.04.12.4, 23.05.19, and 22.05.25, there is a path traversal flaw in handling the CheckFileInfo BaseFileName field returned from WOPI servers. This allows for a file to be written anywhere the uid running Collabora Online can write, if such a
nvd
CVE-2021-32744P3HIGHCVSS 7.5fixed in 4.2.17-1v>= 6.4.0, < 6.4.9-52021-07-21
CVE-2021-32744 [HIGH] CWE-639 CVE-2021-32744: Collabora Online is a collaborative online office suite. In versions prior to 4.2.17-1 and version 6
Collabora Online is a collaborative online office suite. In versions prior to 4.2.17-1 and version 6.4.9-5, unauthenticated attackers are able to gain access to files which are currently opened by other users in the Collabora Online editor. For successful exploitation the attacker is required to guess the file identifier - the predictability of this f
nvd
CVE-2024-37311P3HIGHCVSS 8.2v>= 24.04.1.1, < 24.04.4.3v>= 23.05.0-1, < 23.05.14-1+1 more2024-08-23
CVE-2024-37311 [HIGH] CWE-295 CVE-2024-37311: Collabora Online is a collaborative online office suite based on LibreOffice. In affected versions o
Collabora Online is a collaborative online office suite based on LibreOffice. In affected versions of Collabora Online, https connections from coolwsd to other hosts may incompletely verify the remote host's certificate's against the full chain of trust. This vulnerability is fixed in Collabora Online 24.04.4.3, 23.05.14.1, and 22.05.23.1.
nvd
CVE-2023-49788P3HIGHCVSS 7.2fixed in 23.5.6022023-12-08
CVE-2023-49788 [HIGH] CWE-22 CVE-2023-49788: Collabora Online is a collaborative online office suite based on LibreOffice technology. Unlike a st
Collabora Online is a collaborative online office suite based on LibreOffice technology. Unlike a standalone dedicated Collabora Online server, the Built-in CODE Server (richdocumentscode) is run without chroot sandboxing. Vulnerable versions of the richdocumentscode app can be susceptible to attack via modified client->server commands to overwrite fil
nvd
CVE-2025-24796P3MEDIUMCVSS 6.3fixed in 22.05.25v>= 23.05.1, < 23.05.19+1 more2025-03-06
CVE-2025-24796 [MEDIUM] CWE-829 CVE-2025-24796: Collabora Online is a collaborative online office suite based on LibreOffice. Macro support is disab
Collabora Online is a collaborative online office suite based on LibreOffice. Macro support is disabled by default in Collabora Online, but can be enabled by an administrator. Collabora Online typically hosts each document instance within a jail and is allowed to download content from locations controlled by the net.lok_allow configuration option, w
nvd
CVE-2026-23623P4MEDIUMCVSS 5.3vCollabora Online < 25.04.7.5vCollabora Online < 24.04.17.3+2 more2026-02-06
CVE-2026-23623 [MEDIUM] CWE-285 CVE-2026-23623: Collabora Online is a collaborative online office suite based on LibreOffice technology. Prior to Co
Collabora Online is a collaborative online office suite based on LibreOffice technology. Prior to Collabora Online Development Edition version 25.04.08.2 and prior to Collabora Online versions 23.05.20.1, 24.04.17.3, and 25.04.7.5, a user with view-only rights and no download privileges can obtain a local copy of a shared file. Although there are no
nvd
CVE-2024-45045P4MEDIUMCVSS 6.1vCollabora Office (Android): < 24.04.6.22024-08-29
CVE-2024-45045 [MEDIUM] CWE-84 CVE-2024-45045: Collabora Online is a collaborative online office suite based on LibreOffice technology. In the mobi
Collabora Online is a collaborative online office suite based on LibreOffice technology. In the mobile (Android/iOS) device variants of Collabora Online it was possible to inject JavaScript via url encoded values in links contained in documents. Since the Android JavaScript interface allows access to internal functions, the likelihood that the app co
nvd
CVE-2023-49782P4MEDIUMCVSS 6.1fixed in 23.5.6012023-12-08
CVE-2023-49782 [MEDIUM] CWE-79 CVE-2023-49782: Collabora Online is a collaborative online office suite based on LibreOffice technology. Users of Ne
Collabora Online is a collaborative online office suite based on LibreOffice technology. Users of Nextcloud with `Collabora Online - Built-in CODE Server` app can be vulnerable to attack via proxy.php. The bug was fixed in Collabora Online - Built-in CODE Server (richdocumentscode) release 23.5.601. Users are advised to upgrade. There are no known wo
nvd
CVE-2023-48314P4MEDIUMCVSS 6.1fixed in 23.5.4032023-12-01
CVE-2023-48314 [MEDIUM] CWE-79 CVE-2023-48314: Collabora Online is a collaborative online office suite based on LibreOffice technology. Users of Ne
Collabora Online is a collaborative online office suite based on LibreOffice technology. Users of Nextcloud with Collabora Online Built-in CODE Server app can be vulnerable to attack via proxy.php. This vulnerability has been fixed in Collabora Online - Built-in CODE Server (richdocumentscode) release 23.5.403. Users are advised to upgrade. There are
nvd
CVE-2024-25114P4MEDIUMCVSS 5.3v>= 23.0.0, < 23.05.9v>= 22.0.0, < 22.05.22+1 more2024-03-11
CVE-2024-25114 [MEDIUM] CWE-200 CVE-2024-25114: Collabora Online is a collaborative online office suite based on LibreOffice technology. Each docume
Collabora Online is a collaborative online office suite based on LibreOffice technology. Each document in Collabora Online is opened by a separate "Kit" instance in a different "jail" with a unique directory "jailID" name. For security reasons, this directory name is randomly generated and should not be given out to the client. In affected versions
nvd
CVE-2021-43817P4MEDIUMCVSS 6.1v>= 6.0.0, < 6.4.16fixed in 4.2.202021-12-13
CVE-2021-43817 [MEDIUM] CWE-79 CVE-2021-43817: Collabora Online is a collaborative online office suite based on LibreOffice technology. In affected
Collabora Online is a collaborative online office suite based on LibreOffice technology. In affected versions a reflected XSS vulnerability was found in Collabora Online. An attacker could inject unescaped HTML into a variable as they created the Collabora Online iframe, and execute scripts inside the context of the Collabora Online iframe. This woul
nvd
CVE-2023-31145P4MEDIUMCVSS 6.1fixed in 6.4.27v>= 21.0.0, < 21.11.9+1 more2023-05-15
CVE-2023-31145 [MEDIUM] CWE-79 CVE-2023-31145: Collabora Online is a collaborative online office suite based on LibreOffice technology. This vulner
Collabora Online is a collaborative online office suite based on LibreOffice technology. This vulnerability report describes a reflected XSS vulnerability with full CSP bypass in Nextcloud installations using the recommended bundle. The vulnerability can be exploited to perform a trivial account takeover attack. The vulnerability allows attackers to
nvd
CVE-2021-32745P4MEDIUMCVSS 6.1fixed in 6.4.9-52021-07-21
CVE-2021-32745 [MEDIUM] CWE-79 CVE-2021-32745: Collabora Online is a collaborative online office suite. A reflected XSS vulnerability was found in
Collabora Online is a collaborative online office suite. A reflected XSS vulnerability was found in Collabora Online prior to version 6.4.9-5. An attacker could inject unescaped HTML into a variable as they created the Collabora Online iframe, and execute scripts inside the context of the Collabora Online iframe. This would give access to a small set
nvd
CVE-2024-29182P4MEDIUMCVSS 6.1v>= 23, < 23.05.10.12024-04-04
CVE-2024-29182 [MEDIUM] CWE-79 CVE-2024-29182: Collabora Online is a collaborative online office suite based on LibreOffice. A stored cross-site sc
Collabora Online is a collaborative online office suite based on LibreOffice. A stored cross-site scripting vulnerability was found in Collabora Online. An attacker could create a document with an XSS payload in document text referenced by field which, if hovered over to produce a tooltip, could be executed by the user's browser. Users should upgrade
nvd
CVE-2023-34088P4MEDIUMCVSS 5.4vcoolwsd < 22.05.13vcoolwsd < 21.11.9.1+1 more2023-05-31
CVE-2023-34088 [MEDIUM] CWE-79 CVE-2023-34088: Collabora Online is a collaborative online office suite. A stored cross-site scripting (XSS) vulnera
Collabora Online is a collaborative online office suite. A stored cross-site scripting (XSS) vulnerability was found in Collabora Online prior to versions 22.05.13, 21.11.9.1, and 6.4.27. An attacker could create a document with an XSS payload as a document name. Later, if an administrator opened the admin console and navigated to the history page, t
nvd