8 results (0.009 seconds)

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

04 Mar 2025 — LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice a link in a browser using that scheme could be constructed with an embedded inner URL that when passed to LibreOffice could call internal macros with arbitrary arguments. This issue affects LibreOffice: from 24.8 before < 24.8.5, from 25.2 before < 25.2.1. LibreOffice supports ... • https://www.libreoffice.org/about-us/security/advisories/cve-2025-1080 • CWE-20: Improper Input Validation •

CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0

25 Feb 2025 — Improper Input Validation vulnerability in The Document Foundation LibreOffice allows Windows Executable hyperlink targets to be executed unconditionally on activation.This issue affects LibreOffice: from 24.8 before < 24.8.5. • https://www.libreoffice.org/about-us/security/advisories/cve-2025-0514 • CWE-20: Improper Input Validation •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

07 Jan 2025 — Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice. URLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links. This issue affects LibreOffice: from 24.8 before < 24.8.4. Thomas Rinsma discovered that LibreOffice incorrectly handled paths when processing embedded font fil... • https://www.libreoffice.org/about-us/security/advisories/cve-2024-12426 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0

07 Jan 2025 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The Document Foundation LibreOffice allows Absolute Path Traversal. An attacker can write to arbitrary locations, albeit suffixed with ".ttf", by supplying a file in a format that supports embedded font files. This issue affects LibreOffice: from 24.8 before < 24.8.4. La vulnerabilidad de limitación incorrecta de una ruta de acceso a un directorio restringido ('Path Traversal') en The Document Foundation LibreOff... • https://www.libreoffice.org/about-us/security/advisories/cve-2024-12425 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0

17 Sep 2024 — Improper Digital Signature Invalidation vulnerability in Zip Repair Mode of The Document Foundation LibreOffice allows Signature forgery vulnerability in LibreOfficeThis issue affects LibreOffice: from 24.2 before < 24.2.5. It was discovered that LibreOffice would incorrectly handle digital signature verification after repairing a corrupted document. A remote attacker could possibly use this issue to forge valid signatures. • https://www.libreoffice.org/about-us/security/advisories/CVE-2024-7788 • CWE-347: Improper Verification of Cryptographic Signature •

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0

05 Aug 2024 — Certificate Validation user interface in LibreOffice allows potential vulnerability. Signed macros are scripts that have been digitally signed by the developer using a cryptographic signature. When a document with a signed macro is opened a warning is displayed by LibreOffice before the macro is executed. Previously if verification failed the user could fail to understand the failure and choose to enable the macros anyway. This issue affects LibreOffice: from 24.2 before 24.2.5. • https://www.libreoffice.org/about-us/security/advisories/CVE-2024-6472 • CWE-295: Improper Certificate Validation •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

25 Jun 2024 — Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification LibreOfficeKit can be used for accessing LibreOffice functionality through C/C++. Typically this is used by third party components to reuse LibreOffice as a library to convert, view or otherwise interact with documents. LibreOffice internally makes use of "curl" to fetch remote resources such as images hosted on webservers. In affected versions of LibreOffice, when used in LibreOfficeKi... • https://www.libreoffice.org/about-us/security/advisories/cve-2024-5261 • CWE-295: Improper Certificate Validation •

CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0

14 May 2024 — Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt will execute scripts built-into LibreOffice on clicking a graphic. Such scripts were previously deemed trusted but are now deemed untrusted. La ejecución de script sin marcar en el enlace gráfico al hacer clic en las versiones afectadas de LibreOffice permite a un atacante crear un documento que, sin aviso, ejecutará script integradas en LibreOffice al hacer cl... • https://lists.debian.org/debian-lts-announce/2024/05/msg00016.html • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-356: Product UI does not Warn User of Unsafe Actions •