CVSS: 7.3EPSS: 1%CPEs: 2EXPL: 0CVE-2024-3044 – Graphic on-click binding allows unchecked script execution
https://notcve.org/view.php?id=CVE-2024-3044
14 May 2024 — Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt will execute scripts built-into LibreOffice on clicking a graphic. Such scripts were previously deemed trusted but are now deemed untrusted. La ejecución de script sin marcar en el enlace gráfico al hacer clic en las versiones afectadas de LibreOffice permite a un atacante crear un documento que, sin aviso, ejecutará script integradas en LibreOffice al hacer cl... • https://lists.debian.org/debian-lts-announce/2024/05/msg00016.html • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-356: Product UI does not Warn User of Unsafe Actions •
CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 0CVE-2023-6186 – Link targets allow arbitrary script execution
https://notcve.org/view.php?id=CVE-2023-6186
11 Dec 2023 — Insufficient macro permission validation of The Document Foundation LibreOffice allows an attacker to execute built-in macros without warning. In affected versions LibreOffice supports hyperlinks with macro or similar built-in command targets that can be executed when activated without warning the user. La validación insuficiente de permisos en las macros de The Document Foundation LibreOffice permite a un atacante ejecutar macros integradas sin previo aviso. En las versiones afectadas, LibreOffice admite h... • https://lists.debian.org/debian-lts-announce/2023/12/msg00026.html • CWE-250: Execution with Unnecessary Privileges CWE-281: Improper Preservation of Permissions •
CVSS: 9.0EPSS: 1%CPEs: 5EXPL: 0CVE-2023-6185 – Improper input validation enabling arbitrary Gstreamer pipeline injection
https://notcve.org/view.php?id=CVE-2023-6185
11 Dec 2023 — Improper Input Validation vulnerability in GStreamer integration of The Document Foundation LibreOffice allows an attacker to execute arbitrary GStreamer plugins. In affected versions the filename of the embedded video is not sufficiently escaped when passed to GStreamer enabling an attacker to run arbitrary gstreamer plugins depending on what plugins are installed on the target system. Vulnerabilidad de validación de entrada incorrecta en la integración GStreamer de The Document Foundation LibreOffice perm... • https://lists.debian.org/debian-lts-announce/2023/12/msg00026.html • CWE-250: Execution with Unnecessary Privileges •