MidnightBSD

Advisories for libreoffice

CVE-2011-2685 HIGH

Stack-based buffer overflow in the Lotus Word Pro import filter in LibreOffice before 3.3.3 allows remote attackers to execute arbitrary code via a crafted .lwp file.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
libreoffice libreoffice 3.3.1
libreoffice libreoffice *
libreoffice libreoffice 3.3.0
CVE-2011-2713 MEDIUM

oowriter in OpenOffice.org 3.3.0 and LibreOffice before 3.4.3 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted DOC file that triggers an out-of-bounds read in the DOC sprm parser.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
libreoffice libreoffice 3.3.1
libreoffice libreoffice *
libreoffice libreoffice 3.3.0
libreoffice libreoffice 3.3.2
libreoffice libreoffice 3.4.1
libreoffice libreoffice 3.3.3
libreoffice libreoffice 3.3.4
sun openoffice.org 3.3.0
libreoffice libreoffice 3.4.0
CVE-2012-0037 MEDIUM

Redland Raptor (aka libraptor) before 2.0.7, as used by OpenOffice 3.3 and 3.4 Beta, LibreOffice before 3.4.6 and 3.5.x before 3.5.1, and other products, allows user-assisted remote attackers to read arbitrary files via a crafted XML external entity (XXE) declaration and reference in an RDF document.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
debian debian_linux 6.0
libreoffice libreoffice 3.3.3
apache openoffice.org 3.4
libreoffice libreoffice 3.4.0
libreoffice libreoffice 3.3.1
redhat enterprise_linux_desktop 6.0
libreoffice libreoffice 3.3.0
apache openoffice.org 3.3
libreoffice libreoffice 3.3.2
redhat enterprise_linux_eus 6.2
redhat storage_for_public_cloud 2.0
libreoffice libreoffice 3.5.0
libreoffice libreoffice 3.3.4
redhat gluster_storage_server_for_on-premise 2.0
redhat enterprise_linux_workstation 5.0
fedoraproject fedora 16
redhat storage 2.0
libreoffice libreoffice 3.4.2
libreoffice libreoffice 3.4.5
fedoraproject fedora 17
apache openoffice 3.4.0
librdf raptor *
libreoffice libreoffice *
redhat enterprise_linux_server_aus 6.2
redland libraptor *
apache openoffice 3.3.0
redhat enterprise_linux_server 5.0
redhat enterprise_linux_workstation 6.0
libreoffice libreoffice 3.4.1
redhat enterprise_linux_desktop 5.0
redhat enterprise_linux_server 6.0
libreoffice libreoffice 3.5
CVE-2012-1149 HIGH

Integer overflow in the vclmi.dll module in OpenOffice.org (OOo) 3.3, 3.4 Beta, and possibly earlier, and LibreOffice before 3.5.3, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted embedded image object, as demonstrated by a JPEG image in a .DOC file, which triggers a heap-based buffer overflow.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-189,

Products Affected

Vendor Product Version
debian debian_linux 6.0
debian debian_linux 7.0
apache openoffice.org 3.4
libreoffice libreoffice *
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_server_aus 6.2
fedoraproject fedora 15
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_desktop 5.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux 5.0
redhat enterprise_linux_server_eus 6.2.z
apache openoffice.org 3.3.0
fedoraproject fedora 16
CVE-2012-2334 MEDIUM

Integer overflow in filter/source/msfilter/msdffimp.cxx in OpenOffice.org (OOo) 3.3, 3.4 Beta, and possibly earlier, and LibreOffice before 3.5.3, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the length of an Escher graphics record in a PowerPoint (.ppt) document, which triggers a buffer overflow.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
libreoffice libreoffice 3.4.2
libreoffice libreoffice 3.3.3
libreoffice libreoffice 3.4.5
apache openoffice.org 3.4
libreoffice libreoffice 3.4.0
libreoffice libreoffice 3.3.1
libreoffice libreoffice *
libreoffice libreoffice 3.3.0
apache openoffice.org 3.3
libreoffice libreoffice 3.3.2
libreoffice libreoffice 3.4.1
libreoffice libreoffice 3.3.4
libreoffice libreoffice 3.5
CVE-2012-2665 HIGH

Multiple heap-based buffer overflows in the XML manifest encryption tag parsing functionality in OpenOffice.org and LibreOffice before 3.5.5 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Open Document Text (.odt) file with (1) a child tag within an incorrect parent tag, (2) duplicate tags, or (3) a Base64 ChecksumAttribute whose length is not evenly divisible by four.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
debian debian_linux 6.0
canonical ubuntu_linux 11.10
canonical ubuntu_linux 12.04
apache openoffice *
canonical ubuntu_linux 10.04
debian debian_linux 7.0
libreoffice libreoffice *
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 11.04
redhat enterprise_linux_for_ibm_z_systems 6.0
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_for_power_big_endian 6.0
redhat enterprise_linux_server 6.0
redhat enterprise_linux 6.0
redhat enterprise_linux_server_from_rhui_6 6.0
CVE-2012-5639 MEDIUM

LibreOffice and OpenOffice automatically open embedded content

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-668,

Products Affected

Vendor Product Version
libreoffice libreoffice -
apache openoffice -
debian debian_linux 9.0
debian debian_linux 10.0
debian debian_linux 8.0
CVE-2014-0247 HIGH

LibreOffice 4.2.4 executes unspecified VBA macros automatically, which has unspecified impact and attack vectors, possibly related to doc/docmacromode.cxx.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
fedoraproject fedora 19
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_workstation 7.0
opensuse opensuse 13.1
canonical ubuntu_linux 14.04
libreoffice libreoffice 4.2.4
redhat enterprise_linux_server 7.0
CVE-2014-3524 HIGH

Apache OpenOffice before 4.1.1 allows remote attackers to execute arbitrary commands and possibly have other unspecified impact via a crafted Calc spreadsheet.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-77,

Products Affected

Vendor Product Version
libreoffice libreoffice *
apache openoffice *
CVE-2014-3575 MEDIUM

The OLE preview generation in Apache OpenOffice before 4.1.1 and OpenOffice.org (OOo) might allow remote attackers to embed arbitrary data into documents via crafted OLE objects.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
libreoffice libreoffice *
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_workstation 7.0
apache openoffice *
redhat enterprise_linux_server 7.0
CVE-2014-3693 HIGH

Use-after-free vulnerability in the socket manager of Impress Remote in LibreOffice 4.x before 4.2.7 and 4.3.x before 4.3.3 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request to TCP port 1599.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
redhat enterprise_linux_workstation 7.0
libreoffice libreoffice 4.1.2
redhat enterprise_linux_server 7.0
libreoffice libreoffice 4.1.0
libreoffice libreoffice 4.2.3
redhat enterprise_linux_desktop 7.0
libreoffice libreoffice 4.0.0
canonical ubuntu_linux 14.04
libreoffice libreoffice 4.3.0
libreoffice libreoffice 4.0.4.2
libreoffice libreoffice 4.1.3
libreoffice libreoffice 4.2.1
libreoffice libreoffice 4.0.3
libreoffice libreoffice 4.2.4
libreoffice libreoffice 4.1.1
libreoffice libreoffice 4.2.5
canonical ubuntu_linux 14.10
libreoffice libreoffice 4.0.3.3
libreoffice libreoffice 4.0.2
libreoffice libreoffice 4.3.2
opensuse opensuse 13.1
libreoffice libreoffice 4.2.6
libreoffice libreoffice 4.2.0
libreoffice libreoffice 4.2.2
libreoffice libreoffice 4.3.1
libreoffice libreoffice 4.1.4
libreoffice libreoffice 4.0.1
CVE-2014-9093 HIGH

LibreOffice before 4.3.5 allows remote attackers to cause a denial of service (invalid write operation and crash) and possibly execute arbitrary code via a crafted RTF file.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
libreoffice libreoffice *
fedoraproject fedora 20
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
debian debian_linux 7.0
canonical ubuntu_linux 14.10
CVE-2015-1774 MEDIUM

The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted HWP document, which triggers an out-of-bounds write.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-787,

Products Affected

Vendor Product Version
fedoraproject fedora 21
canonical ubuntu_linux 12.04
libreoffice libreoffice 4.4.1
apache openoffice *
debian debian_linux 7.0
canonical ubuntu_linux 14.10
libreoffice libreoffice *
redhat enterprise_linux_desktop 6.0
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server 6.0
canonical ubuntu_linux 14.04
libreoffice libreoffice 4.4.0
debian debian_linux 8.0
CVE-2015-4551 MEDIUM

LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2 uses the stored LinkUpdateMode configuration information in OpenDocument Format files and templates when handling links, which might allow remote attackers to obtain sensitive information via a crafted document, which embeds data from local files into (1) Calc or (2) Writer.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
libreoffice libreoffice *
canonical ubuntu_linux 12.04
apache openoffice *
canonical ubuntu_linux 15.04
canonical ubuntu_linux 14.04
debian debian_linux 7.0
debian debian_linux 8.0
CVE-2015-5212 MEDIUM

Integer underflow in LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2, when the configuration setting "Load printer settings with the document" is enabled, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via crafted PrinterSetup data in an ODF document.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-191,

Products Affected

Vendor Product Version
libreoffice libreoffice *
canonical ubuntu_linux 12.04
apache openoffice *
canonical ubuntu_linux 15.04
canonical ubuntu_linux 14.04
debian debian_linux 7.0
debian debian_linux 8.0
CVE-2015-5213 MEDIUM

Integer overflow in LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a long DOC file, which triggers a buffer overflow.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-189,

Products Affected

Vendor Product Version
libreoffice libreoffice *
canonical ubuntu_linux 12.04
apache openoffice *
canonical ubuntu_linux 15.04
canonical ubuntu_linux 14.04
debian debian_linux 7.0
debian debian_linux 8.0
CVE-2015-5214 MEDIUM

LibreOffice before 4.4.6 and 5.x before 5.0.1 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via an index to a non-existent bookmark in a DOC file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
libreoffice libreoffice *
canonical ubuntu_linux 12.04
apache openoffice *
canonical ubuntu_linux 15.04
canonical ubuntu_linux 14.04
debian debian_linux 7.0
debian debian_linux 8.0
CVE-2016-0794 HIGH

The lwp filter in LibreOffice before 5.0.4 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted LotusWordPro (lwp) document.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
libreoffice libreoffice *
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
canonical ubuntu_linux 15.10
CVE-2016-0795 HIGH

LibreOffice before 5.0.5 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted LwpTocSuperLayout record in a LotusWordPro (lwp) document.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
libreoffice libreoffice *
canonical ubuntu_linux 12.04
canonical ubuntu_linux 14.04
canonical ubuntu_linux 15.10
CVE-2016-10327 HIGH

LibreOffice before 2016-12-22 has an out-of-bounds write caused by a heap-based buffer overflow related to the EnhWMFReader::ReadEnhWMF function in vcl/source/filter/wmf/enhwmf.cxx.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
libreoffice libreoffice *
CVE-2016-4324 MEDIUM

Use-after-free vulnerability in LibreOffice before 5.1.4 allows remote attackers to execute arbitrary code via a crafted RTF file, related to stylesheet and superscript tokens.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
libreoffice libreoffice *
canonical ubuntu_linux 12.04
canonical ubuntu_linux 15.10
debian debian_linux 8.0
canonical ubuntu_linux 16.04
CVE-2017-14226 MEDIUM

WP1StylesListener.cpp, WP5StylesListener.cpp, and WP42StylesListener.cpp in libwpd 0.10.1 mishandle iterators, which allows remote attackers to cause a denial of service (heap-based buffer over-read in the WPXTableList class in WPXTable.cpp). This vulnerability can be triggered in LibreOffice before 5.3.7. It may lead to suffering a remote attack against a LibreOffice application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
libreoffice libreoffice *
libwpd libwpd 0.10.1
CVE-2017-7856 HIGH

LibreOffice before 2017-03-11 has an out-of-bounds write caused by a heap-based buffer overflow in the SVMConverter::ImplConvertFromSVM1 function in vcl/source/gdi/svmconverter.cxx.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
libreoffice libreoffice *
CVE-2017-7870 HIGH

LibreOffice before 2017-01-02 has an out-of-bounds write caused by a heap-based buffer overflow related to the tools::Polygon::Insert function in tools/source/generic/poly.cxx.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
libreoffice libreoffice *
CVE-2017-7882 HIGH

LibreOffice before 2017-03-14 has an out-of-bounds write related to the HWPFile::TagsRead function in hwpfilter/source/hwpfile.cxx.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
libreoffice libreoffice *
CVE-2017-8358 HIGH

LibreOffice before 2017-03-17 has an out-of-bounds write caused by a heap-based buffer overflow related to the ReadJPEG function in vcl/source/filter/jpeg/jpegc.cxx.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,CWE-787,

Products Affected

Vendor Product Version
libreoffice libreoffice *
CVE-2018-10119 MEDIUM

sot/source/sdstor/stgstrms.cxx in LibreOffice before 5.4.5.1 and 6.x before 6.0.1.1 uses an incorrect integer data type in the StgSmallStrm class, which allows remote attackers to cause a denial of service (use-after-free with write access) or possibly have unspecified other impact via a crafted document that uses the structured storage ole2 wrapper file format.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-416,

Products Affected

Vendor Product Version
libreoffice libreoffice *
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_workstation 7.0
canonical ubuntu_linux 14.04
debian debian_linux 9.0
debian debian_linux 7.0
debian debian_linux 8.0
redhat enterprise_linux_server 7.0
canonical ubuntu_linux 16.04
CVE-2018-10120 MEDIUM

The SwCTBWrapper::Read function in sw/source/filter/ww8/ww8toolbar.cxx in LibreOffice before 5.4.6.1 and 6.x before 6.0.2.1 does not validate a customizations index, which allows remote attackers to cause a denial of service (heap-based buffer overflow with write access) or possibly have unspecified other impact via a crafted document that contains a certain Microsoft Word record.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-129,CWE-787,

Products Affected

Vendor Product Version
libreoffice libreoffice *
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_workstation 7.0
canonical ubuntu_linux 14.04
debian debian_linux 9.0
debian debian_linux 7.0
debian debian_linux 8.0
redhat enterprise_linux_server 7.0
canonical ubuntu_linux 16.04
CVE-2018-10583 MEDIUM

An information disclosure vulnerability occurs when LibreOffice 6.0.3 and Apache OpenOffice Writer 4.1.5 automatically process and initiate an SMB connection embedded in a malicious file, as demonstrated by xlink:href=file://192.168.0.2/test.jpg within an office:document-content element in a .odt XML document.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_workstation 7.0
libreoffice libreoffice 6.0.3
canonical ubuntu_linux 14.04
apache openoffice 4.1.5
debian debian_linux 9.0
debian debian_linux 7.0
debian debian_linux 8.0
redhat enterprise_linux_server 7.0
canonical ubuntu_linux 16.04
CVE-2018-14939 HIGH

The get_app_path function in desktop/unx/source/start.c in LibreOffice through 6.0.5 mishandles the realpath function in certain environments such as FreeBSD libc, which might allow attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact if LibreOffice is automatically launched during web browsing with pathnames controlled by a remote web site.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
libreoffice libreoffice *
CVE-2018-16858 HIGH

It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a document, which when opened by LibreOffice, would execute a Python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-356,CWE-22,

Products Affected

Vendor Product Version
libreoffice libreoffice *
CVE-2018-18688 MEDIUM

The Portable Document Format (PDF) specification does not provide any information regarding the concrete procedure of how to validate signatures. Consequently, an Incremental Saving vulnerability exists in multiple products. When an attacker uses the Incremental Saving feature to add pages or annotations, Body Updates are displayed to the user without any action by the signature-validation logic. This affects Foxit Reader before 9.4 and PhantomPDF before 8.3.9 and 9.x before 9.4. It also affects LibreOffice, Master PDF Editor, Nitro Pro, Nitro Reader, Nuance Power PDF Standard, PDF Editor 6 Pro, PDFelement6 Pro, PDF Studio Viewer 2018, PDF Studio Pro, Perfect PDF 10 Premium, and Perfect PDF Reader.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-347,

Products Affected

Vendor Product Version
foxitsoftware foxit_reader 9.1.0
iskysoft pdfelement6 6.7.1.3355
iskysoft pdfelement6 6.8.0.3523
iskysoft pdf_editor_6 6.6.2.3315
iskysoft pdfelement6 6.7.6.3399
libreoffice libreoffice 6.1.3.2
qoppa pdf_studio_viewer_2018 2018.0.1
gonitro nitro_reader 5.5.9.2
nuance power_pdf_standard 3.0.0.17
iskysoft pdf_editor_6 6.7.6.3399
nuance power_pdf_standard 7.0
soft-xpansion perfect_pdf_reader 13.0.3
foxitsoftware foxit_reader 9.2.0
code-industry master_pdf_editor 5.1.68
libreoffice libreoffice 6.0.6.2
gonitro nitro_pro 11.0.3.173
foxitsoftware foxit_reader 9.4
nuance power_pdf_standard 3.0.0.30
iskysoft pdf_editor_6 6.4.2.3521
qoppa pdf_studio 12.0.7
foxitsoftware phantompdf *
qoppa pdf_studio_viewer_2018 2018.2.0
iskysoft pdfelement6 6.8.4.3921
code-industry master_pdf_editor 5.1.12
foxitsoftware phantompdf 8.3.9
soft-xpansion perfect_pdf_reader 13.1.5
libreoffice libreoffice 6.1.0.3
soft-xpansion perfect_pdf_10 10.0.0.1
code-industry master_pdf_editor 5.1.24
CVE-2018-6871 MEDIUM

LibreOffice before 5.4.5 and 6.x before 6.0.1 allows remote attackers to read arbitrary files via =WEBSERVICE calls in a document, which use the COM.MICROSOFT.WEBSERVICE function.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_server_aus 7.6
redhat enterprise_linux_workstation 7.0
redhat enterprise_linux_server_eus 7.5
libreoffice libreoffice 6.0.0
redhat enterprise_linux_server_aus 7.4
redhat enterprise_linux_server_tus 7.4
redhat enterprise_linux_server 7.0
libreoffice libreoffice *
redhat enterprise_linux_desktop 6.0
canonical ubuntu_linux 17.10
redhat enterprise_linux_workstation 6.0
redhat enterprise_linux_server_tus 7.6
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server 6.0
canonical ubuntu_linux 14.04
redhat enterprise_linux_server_eus 7.4
debian debian_linux 9.0
canonical ubuntu_linux 16.04
CVE-2019-9847 MEDIUM

A vulnerability in LibreOffice hyperlink processing allows an attacker to construct documents containing hyperlinks pointing to the location of an executable on the target users file system. If the hyperlink is activated by the victim the executable target is unconditionally launched. Under Windows and macOS when processing a hyperlink target explicitly activated by the user there was no judgment made on whether the target was an executable file, so such executable targets were launched unconditionally. This issue affects: All LibreOffice Windows and macOS versions prior to 6.1.6; LibreOffice Windows and macOS versions in the 6.2 series prior to 6.2.3.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
libreoffice libreoffice *
CVE-2019-9848 HIGH

LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
libreoffice libreoffice *
fedoraproject fedora 30
opensuse leap 15.1
canonical ubuntu_linux 19.04
canonical ubuntu_linux 18.04
opensuse leap 15.0
debian debian_linux 8.0
canonical ubuntu_linux 16.04
fedoraproject fedora 29
CVE-2019-9849 MEDIUM

LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed where bullet graphics were omitted from this protection prior to version 6.2.5. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
libreoffice libreoffice *
fedoraproject fedora 30
opensuse leap 15.1
canonical ubuntu_linux 19.04
canonical ubuntu_linux 18.04
opensuse leap 15.0
debian debian_linux 8.0
canonical ubuntu_linux 16.04
fedoraproject fedora 29
CVE-2019-9850 HIGH

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
libreoffice libreoffice *
fedoraproject fedora 30
opensuse leap 15.1
canonical ubuntu_linux 19.04
canonical ubuntu_linux 18.04
debian debian_linux 9.0
opensuse leap 15.0
debian debian_linux 10.0
debian debian_linux 8.0
canonical ubuntu_linux 16.04
fedoraproject fedora 29
CVE-2019-9851 HIGH

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over. However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can be executed on various global script events such as document-open, etc. In the fixed versions, global script event handlers are validated equivalently to document script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
libreoffice libreoffice *
opensuse leap 15.1
canonical ubuntu_linux 19.04
canonical ubuntu_linux 18.04
debian debian_linux 9.0
opensuse leap 15.0
debian debian_linux 10.0
debian debian_linux 8.0
canonical ubuntu_linux 16.04
fedoraproject fedora 29
CVE-2019-9852 MEDIUM

LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-116,CWE-22,

Products Affected

Vendor Product Version
libreoffice libreoffice *
opensuse leap 15.1
canonical ubuntu_linux 19.04
canonical ubuntu_linux 18.04
debian debian_linux 9.0
opensuse leap 15.0
debian debian_linux 10.0
debian debian_linux 8.0
canonical ubuntu_linux 16.04
fedoraproject fedora 29
CVE-2019-9853 MEDIUM

LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7; LibreOffice 6.3 series versions prior to 6.3.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-116,CWE-116,

Products Affected

Vendor Product Version
libreoffice libreoffice *
CVE-2019-9854 MEDIUM

LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
redhat enterprise_linux 7.0
canonical ubuntu_linux 19.04
opensuse leap 15.0
libreoffice libreoffice *
opensuse leap 15.1
redhat enterprise_linux 8.0
canonical ubuntu_linux 18.04
debian debian_linux 9.0
debian debian_linux 10.0
debian debian_linux 8.0
canonical ubuntu_linux 16.04
fedoraproject fedora 29
CVE-2019-9855 HIGH

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added to block calling LibreLogo from script event handers. However a Windows 8.3 path equivalence handling flaw left LibreOffice vulnerable under Windows that a document could trigger executing LibreLogo via a Windows filename pseudonym. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-417,

Products Affected

Vendor Product Version
libreoffice libreoffice *
opensuse leap 15.1
opensuse leap 15.0
CVE-2020-12801 MEDIUM

If LibreOffice has an encrypted document open and crashes, that document is auto-saved encrypted. On restart, LibreOffice offers to restore the document and prompts for the password to decrypt it. If the recovery is successful, and if the file format of the recovered document was not LibreOffice's default ODF file format, then affected versions of LibreOffice default that subsequent saves of the document are unencrypted. This may lead to a user accidentally saving a MSOffice file format document unencrypted while believing it to be encrypted. This issue affects: LibreOffice 6-3 series versions prior to 6.3.6; 6-4 series versions prior to 6.4.3.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-311,CWE-312,

Products Affected

Vendor Product Version
libreoffice libreoffice *
opensuse leap 15.1
CVE-2020-12802 MEDIUM

LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed where remote graphic links loaded from docx documents were omitted from this protection prior to version 6.4.4. This issue affects: The Document Foundation LibreOffice versions prior to 6.4.4.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,NVD-CWE-Other,

Products Affected

Vendor Product Version
libreoffice libreoffice *
opensuse leap 15.1
fedoraproject fedora 31
opensuse leap 15.2
CVE-2020-12803 MEDIUM

ODF documents can contain forms to be filled out by the user. Similar to HTML forms, the contained form data can be submitted to a URI, for example, to an external web server. To create submittable forms, ODF implements the XForms W3C standard, which allows data to be submitted without the need for macros or other active scripting Prior to version 6.4.4 LibreOffice allowed forms to be submitted to any URI, including file: URIs, enabling form submissions to overwrite local files. User-interaction is required to submit the form, but to avoid the possibility of malicious documents engineered to maximize the possibility of inadvertent user submission this feature has now been limited to http[s] URIs, removing the possibility to overwrite local files. This issue affects: The Document Foundation LibreOffice versions prior to 6.4.4.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
libreoffice libreoffice *
opensuse leap 15.1
fedoraproject fedora 31
CVE-2021-25631 HIGH

In the LibreOffice 7-1 series in versions prior to 7.1.2, and in the 7-0 series in versions prior to 7.0.5, the denylist can be circumvented by manipulating the link so it doesn't match the denylist but results in ShellExecute attempting to launch an executable type.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-184,NVD-CWE-Other,

Products Affected

Vendor Product Version
libreoffice libreoffice *
CVE-2021-25633 MEDIUM

LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to combine multiple certificate data, which when opened caused LibreOffice to display a validly signed indicator but whose content was unrelated to the signature shown. This issue affects: The Document Foundation LibreOffice 7-0 versions prior to 7.0.6; 7-1 versions prior to 7.1.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,CWE-295,

Products Affected

Vendor Product Version
libreoffice libreoffice *
debian debian_linux 11.0
CVE-2021-25634 MEDIUM

LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to modify a digitally signed ODF document to insert an additional signing time timestamp which LibreOffice would incorrectly present as a valid signature signed at the bogus signing time. This issue affects: The Document Foundation LibreOffice 7-0 versions prior to 7.0.6; 7-1 versions prior to 7.1.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,CWE-295,

Products Affected

Vendor Product Version
libreoffice libreoffice *
debian debian_linux 11.0
CVE-2021-25635

An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to self sign an ODF document, with a signature untrusted by the target, then modify it to change the signature algorithm to an invalid (or unknown to LibreOffice) algorithm and LibreOffice would incorrectly present such a signature with an unknown algorithm as a valid signature issued by a trusted person This issue affects LibreOffice: from 7.0 before 7.0.5, from 7.1 before 7.1.1.

Products Affected

Vendor Product Version
libreoffice libreoffice *
CVE-2021-25636 MEDIUM

LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual aids that no alteration of the document occurred since the last signing and that the signature is valid. An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the document to contain both "X509Data" and "KeyValue" children of the "KeyInfo" tag, which when opened caused LibreOffice to verify using the "KeyValue" but to report verification with the unrelated "X509Data" value. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.5.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-347,CWE-295,

Products Affected

Vendor Product Version
libreoffice libreoffice *
fedoraproject fedora 34
CVE-2022-26305

An Improper Certificate Validation vulnerability in LibreOffice existed where determining if a macro was signed by a trusted author was done by only matching the serial number and issuer string of the used certificate with that of a trusted certificate. This is not sufficient to verify that the macro was actually signed with the certificate. An adversary could therefore create an arbitrary certificate with a serial number and an issuer string identical to a trusted certificate which LibreOffice would present as belonging to the trusted author, potentially leading to the user to execute arbitrary code contained in macros improperly trusted. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

Products Affected

Vendor Product Version
libreoffice libreoffice *
CVE-2022-26306

LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required initialization vector for encryption was always the same which weakens the security of the encryption making them vulnerable if an attacker has access to the user's configuration data. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
libreoffice libreoffice *
debian debian_linux 10.0
CVE-2022-26307

LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its entropy from 128 to 43 bits making the stored passwords vulerable to a brute force attack if an attacker has access to the users stored config. This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.7; 7.3 versions prior to 7.3.3.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
libreoffice libreoffice *
debian debian_linux 10.0
CVE-2022-3140

LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice links using that scheme could be constructed to call internal macros with arbitrary arguments. Which when clicked on, or activated by document events, could result in arbitrary script execution without warning. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.1; 7.3 versions prior to 7.3.6.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L 2.8 3.4

Products Affected

Vendor Product Version
libreoffice libreoffice *
debian debian_linux 11.0
libreoffice libreoffice 7.4.0
fedoraproject fedora 35
CVE-2023-0950

Improper Validation of Array Index vulnerability in the spreadsheet component of The Document Foundation LibreOffice allows an attacker to craft a spreadsheet document that will cause an array index underflow when loaded. In the affected versions of LibreOffice certain malformed spreadsheet formulas, such as AGGREGATE, could be created with less parameters passed to the formula interpreter than it expected, leading to an array index underflow, in which case there is a risk that arbitrary code could be executed. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.6; 7.5 versions prior to 7.5.1.

Products Affected

Vendor Product Version
libreoffice libreoffice *
debian debian_linux 10.0
CVE-2023-1183

A flaw was found in the Libreoffice package. An attacker can craft an odb containing a "database/script" file with a SCRIPT command where the contents of the file could be written to a new file whose location was determined by the attacker.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
secalert@redhat.com 5.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N 1.3 3.6

Products Affected

Vendor Product Version
libreoffice libreoffice *
redhat enterprise_linux 9.0
fedoraproject fedora 38
libreoffice libreoffice 7.5.0
redhat enterprise_linux 8.0
CVE-2023-2255

Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used "floating frames" linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3.

Products Affected

Vendor Product Version
libreoffice libreoffice *
debian debian_linux 11.0
CVE-2023-6185

Improper Input Validation vulnerability in GStreamer integration of The Document Foundation LibreOffice allows an attacker to execute arbitrary GStreamer plugins. In affected versions the filename of the embedded video is not sufficiently escaped when passed to GStreamer enabling an attacker to run arbitrary gstreamer plugins depending on what plugins are installed on the target system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
security@documentfoundation.org 8.3 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H 1.7 6.0

Products Affected

Vendor Product Version
libreoffice libreoffice *
debian debian_linux 11.0
debian debian_linux 12.0
fedoraproject fedora 38
CVE-2023-6186

Insufficient macro permission validation of The Document Foundation LibreOffice allows an attacker to execute built-in macros without warning. In affected versions LibreOffice supports hyperlinks with macro or similar built-in command targets that can be executed when activated without warning the user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@documentfoundation.org 8.3 HIGH CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H 1.7 6.0
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
libreoffice libreoffice *
debian debian_linux 11.0
debian debian_linux 12.0
fedoraproject fedora 38
CVE-2024-12425

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The Document Foundation LibreOffice allows Absolute Path Traversal. An attacker can write to arbitrary locations, albeit suffixed with ".ttf", by supplying a file in a format that supports embedded font files. This issue affects LibreOffice: from 24.8 before < 24.8.4.

Products Affected

Vendor Product Version
libreoffice libreoffice *
debian debian_linux 11.0
libreoffice libreoffice 24.8.0.0
CVE-2024-12426

Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice. URLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links. This issue affects LibreOffice: from 24.8 before < 24.8.4.

Products Affected

Vendor Product Version
libreoffice libreoffice *
debian debian_linux 11.0
libreoffice libreoffice 24.8.0.0
CVE-2024-3044

Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt will execute scripts built-into LibreOffice on clicking a graphic. Such scripts were previously deemed trusted but are now deemed untrusted.

Products Affected

Vendor Product Version
libreoffice libreoffice *
fedoraproject fedora 39
debian debian_linux 10.0
CVE-2024-5261

Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification LibreOfficeKit can be used for accessing LibreOffice functionality through C/C++. Typically this is used by third party components to reuse LibreOffice as a library to convert, view or otherwise interact with documents. LibreOffice internally makes use of "curl" to fetch remote resources such as images hosted on webservers. In affected versions of LibreOffice, when used in LibreOfficeKit mode only, then curl's TLS certification verification was disabled (CURLOPT_SSL_VERIFYPEER of false) In the fixed versions curl operates in LibreOfficeKit mode the same as in standard mode with CURLOPT_SSL_VERIFYPEER of true. This issue affects LibreOffice before version 24.2.4.

Products Affected

Vendor Product Version
libreoffice libreoffice *
CVE-2024-6472

Certificate Validation user interface in LibreOffice allows potential vulnerability. Signed macros are scripts that have been digitally signed by the developer using a cryptographic signature. When a document with a signed macro is opened a warning is displayed by LibreOffice before the macro is executed. Previously if verification failed the user could fail to understand the failure and choose to enable the macros anyway. This issue affects LibreOffice: from 24.2 before 24.2.5.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@documentfoundation.org 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
libreoffice libreoffice *
CVE-2024-7788

Improper Digital Signature Invalidation  vulnerability in Zip Repair Mode of The Document Foundation LibreOffice allows Signature forgery vulnerability in LibreOfficeThis issue affects LibreOffice: from 24.2 before < 24.2.5.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@documentfoundation.org 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
libreoffice libreoffice *
CVE-2025-0514

Improper Input Validation vulnerability in The Document Foundation LibreOffice allows Windows Executable hyperlink targets to be executed unconditionally on activation.This issue affects LibreOffice: from 24.8 before < 24.8.5.

Products Affected

Vendor Product Version
libreoffice libreoffice *
CVE-2025-1080

LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice a link in a browser using that scheme could be constructed with an embedded inner URL that when passed to LibreOffice could call internal macros with arbitrary arguments. This issue affects LibreOffice: from 24.8 before < 24.8.5, from 25.2 before < 25.2.1.

Products Affected

Vendor Product Version
libreoffice libreoffice *
debian debian_linux 11.0
CVE-2025-2866

Improper Verification of Cryptographic Signature vulnerability in LibreOffice allows PDF Signature Spoofing by Improper Validation. In the affected versions of LibreOffice a flaw in the verification code for adbe.pkcs7.sha1 signatures could cause invalid signatures to be accepted as valid This issue affects LibreOffice: from 24.8 before < 24.8.6, from 25.2 before < 25.2.2.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 1.8 3.6

Products Affected

Vendor Product Version
libreoffice libreoffice *
libreoffice libreoffice 24.8.0.0
libreoffice libreoffice 25.2.0.0