CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-3044 – Graphic on-click binding allows unchecked script execution
https://notcve.org/view.php?id=CVE-2024-3044
Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt will execute scripts built-into LibreOffice on clicking a graphic. Such scripts were previously deemed trusted but are now deemed untrusted. La ejecución de script sin marcar en el enlace gráfico al hacer clic en las versiones afectadas de LibreOffice permite a un atacante crear un documento que, sin aviso, ejecutará script integradas en LibreOffice al hacer clic en un gráfico. Anteriormente, estos scripts se consideraban confiables, pero ahora se consideran no confiables. A flaw was found in LibreOffice. • https://lists.debian.org/debian-lts-announce/2024/05/msg00016.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3TU3TYDXICKPYHMCNL7ARYYBXACEAYJ4 https://www.libreoffice.org/about-us/security/advisories/CVE-2024-3044 https://access.redhat.com/security/cve/CVE-2024-3044 https://bugzilla.redhat.com/show_bug.cgi?id=2280542 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-6186 – Link targets allow arbitrary script execution
https://notcve.org/view.php?id=CVE-2023-6186
Insufficient macro permission validation of The Document Foundation LibreOffice allows an attacker to execute built-in macros without warning. In affected versions LibreOffice supports hyperlinks with macro or similar built-in command targets that can be executed when activated without warning the user. La validación insuficiente de permisos en las macros de The Document Foundation LibreOffice permite a un atacante ejecutar macros integradas sin previo aviso. En las versiones afectadas, LibreOffice admite hipervínculos con macros o destinos de comandos integrados similares que se pueden ejecutar cuando se activan sin advertir al usuario. An insufficient permission validation vulnerability was found in LibreOffice. In versions that support running commands in hyperlinks, an attacker can execute built-in macros without warning the user. • https://lists.debian.org/debian-lts-announce/2023/12/msg00026.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QB7UB6CTWQUDOE657OVVRSDYUY3IPBJG https://www.debian.org/security/2023/dsa-5574 https://www.libreoffice.org/about-us/security/advisories/cve-2023-6186 https://access.redhat.com/security/cve/CVE-2023-6186 https://bugzilla.redhat.com/show_bug.cgi?id=2254005 • CWE-250: Execution with Unnecessary Privileges CWE-281: Improper Preservation of Permissions •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-6185 – Improper input validation enabling arbitrary Gstreamer pipeline injection
https://notcve.org/view.php?id=CVE-2023-6185
Improper Input Validation vulnerability in GStreamer integration of The Document Foundation LibreOffice allows an attacker to execute arbitrary GStreamer plugins. In affected versions the filename of the embedded video is not sufficiently escaped when passed to GStreamer enabling an attacker to run arbitrary gstreamer plugins depending on what plugins are installed on the target system. Vulnerabilidad de validación de entrada incorrecta en la integración GStreamer de The Document Foundation LibreOffice permite a un atacante ejecutar complementos GStreamer arbitrarios. En las versiones afectadas, el nombre de archivo del vídeo incrustado no se escapa lo suficiente cuando se pasa a GStreamer, lo que permite a un atacante ejecutar complementos arbitrarios de gstreamer dependiendo de qué complementos estén instalados en el sistema de destino. An improper input validation vulnerability was found in LibreOffice. In versions where filenames are not sufficiently escaped, an attacker can execute arbitrary GStreamer plugins. • https://lists.debian.org/debian-lts-announce/2023/12/msg00026.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QB7UB6CTWQUDOE657OVVRSDYUY3IPBJG https://www.debian.org/security/2023/dsa-5574 https://www.libreoffice.org/about-us/security/advisories/cve-2023-6185 https://access.redhat.com/security/cve/CVE-2023-6185 https://bugzilla.redhat.com/show_bug.cgi?id=2254003 • CWE-250: Execution with Unnecessary Privileges •