cvelistv5 - cve-2024-12426

CVE-2024-12426 (GCVE-0-2024-12426)

Vulnerability from cvelistv5 – Published: 2025-01-07 12:22 – Updated: 2025-11-03 20:36

Summary

Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice. URLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links. This issue affects LibreOffice: from 24.8 before < 24.8.4.

Severity ?

6.7 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

Document Fdn.

References

URL

Tags

https://www.libreoffice.org/about-us/security/adv…

Impacted products

	Vendor	Product	Version
	The Document Foundation	LibreOffice	Affected: 24.8 , < < 24.8.4 (24.8 series)

Credits

Thomas Rinsma of Codean Labs

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-12426",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-07T14:38:29.579414Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-07T14:38:34.076Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:36:39.840Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00013.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "LibreOffice",
          "vendor": "The Document Foundation",
          "versions": [
            {
              "lessThan": "\u003c 24.8.4",
              "status": "affected",
              "version": "24.8",
              "versionType": "24.8 series"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Thomas Rinsma of Codean Labs"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003eExposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eURLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links.\u003cbr\u003e\u003c/div\u003e\u003cp\u003eThis issue affects LibreOffice: from 24.8 before \u0026lt; 24.8.4.\u003c/p\u003e"
            }
          ],
          "value": "Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice.\n\n\n\n\nURLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links.\n\n\nThis issue affects LibreOffice: from 24.8 before \u003c 24.8.4."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-13",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-13 Subverting Environment Variable Values"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-07T12:22:32.991Z",
        "orgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
        "shortName": "Document Fdn."
      },
      "references": [
        {
          "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2024-12426"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "URL fetching can be used to exfiltrate arbitrary INI file values and environment variables",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fe7d05b-1353-44cc-8b7a-1e416936dff2",
    "assignerShortName": "Document Fdn.",
    "cveId": "CVE-2024-12426",
    "datePublished": "2025-01-07T12:22:32.991Z",
    "dateReserved": "2024-12-10T16:37:23.376Z",
    "dateUpdated": "2025-11-03T20:36:39.840Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice.\\n\\n\\n\\n\\nURLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links.\\n\\n\\nThis issue affects LibreOffice: from 24.8 before \u003c 24.8.4.\"}, {\"lang\": \"es\", \"value\": \"Exposici\\u00f3n de variables ambientales y valores arbitrarios de archivos INI a una vulnerabilidad de actor no autorizado en The Document Foundation LibreOffice. Se podr\\u00edan construir URL que expandieran las variables ambientales o los valores de archivos INI, por lo que se podr\\u00eda filtrar informaci\\u00f3n potencialmente confidencial a un servidor remoto al abrir un documento que contenga dichos enlaces. Este problema afecta a LibreOffice: desde la versi\\u00f3n 24.8 hasta la versi\\u00f3n 24.8.4.\"}]",
      "id": "CVE-2024-12426",
      "lastModified": "2025-01-07T13:15:07.210",
      "metrics": "{\"cvssMetricV40\": [{\"source\": \"security@documentfoundation.org\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"4.0\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\", \"baseScore\": 6.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"PASSIVE\", \"vulnerableSystemConfidentiality\": \"HIGH\", \"vulnerableSystemIntegrity\": \"NONE\", \"vulnerableSystemAvailability\": \"NONE\", \"subsequentSystemConfidentiality\": \"HIGH\", \"subsequentSystemIntegrity\": \"NONE\", \"subsequentSystemAvailability\": \"NONE\", \"exploitMaturity\": \"NOT_DEFINED\", \"confidentialityRequirements\": \"NOT_DEFINED\", \"integrityRequirements\": \"NOT_DEFINED\", \"availabilityRequirements\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NOT_DEFINED\", \"modifiedAttackComplexity\": \"NOT_DEFINED\", \"modifiedAttackRequirements\": \"NOT_DEFINED\", \"modifiedPrivilegesRequired\": \"NOT_DEFINED\", \"modifiedUserInteraction\": \"NOT_DEFINED\", \"modifiedVulnerableSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedVulnerableSystemIntegrity\": \"NOT_DEFINED\", \"modifiedVulnerableSystemAvailability\": \"NOT_DEFINED\", \"modifiedSubsequentSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedSubsequentSystemIntegrity\": \"NOT_DEFINED\", \"modifiedSubsequentSystemAvailability\": \"NOT_DEFINED\", \"safety\": \"NOT_DEFINED\", \"automatable\": \"NOT_DEFINED\", \"recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\"}}]}",
      "published": "2025-01-07T13:15:07.210",
      "references": "[{\"url\": \"https://www.libreoffice.org/about-us/security/advisories/cve-2024-12426\", \"source\": \"security@documentfoundation.org\"}]",
      "sourceIdentifier": "security@documentfoundation.org",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security@documentfoundation.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-12426\",\"sourceIdentifier\":\"security@documentfoundation.org\",\"published\":\"2025-01-07T13:15:07.210\",\"lastModified\":\"2025-11-03T21:16:05.723\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice.\\n\\n\\n\\n\\nURLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links.\\n\\n\\nThis issue affects LibreOffice: from 24.8 before \u003c 24.8.4.\"},{\"lang\":\"es\",\"value\":\"Exposici\u00f3n de variables ambientales y valores arbitrarios de archivos INI a una vulnerabilidad de actor no autorizado en The Document Foundation LibreOffice. Se podr\u00edan construir URL que expandieran las variables ambientales o los valores de archivos INI, por lo que se podr\u00eda filtrar informaci\u00f3n potencialmente confidencial a un servidor remoto al abrir un documento que contenga dichos enlaces. Este problema afecta a LibreOffice: desde la versi\u00f3n 24.8 hasta la versi\u00f3n 24.8.4.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security@documentfoundation.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security@documentfoundation.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"references\":[{\"url\":\"https://www.libreoffice.org/about-us/security/advisories/cve-2024-12426\",\"source\":\"security@documentfoundation.org\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/01/msg00013.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/01/msg00013.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T20:36:39.840Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-12426\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-07T14:38:29.579414Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-07T14:38:20.520Z\"}}], \"cna\": {\"title\": \"URL fetching can be used to exfiltrate arbitrary INI file values and environment variables\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Thomas Rinsma of Codean Labs\"}], \"impacts\": [{\"capecId\": \"CAPEC-13\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-13 Subverting Environment Variable Values\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 6.7, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"The Document Foundation\", \"product\": \"LibreOffice\", \"versions\": [{\"status\": \"affected\", \"version\": \"24.8\", \"lessThan\": \"\u003c 24.8.4\", \"versionType\": \"24.8 series\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.libreoffice.org/about-us/security/advisories/cve-2024-12426\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice.\\n\\n\\n\\n\\nURLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links.\\n\\n\\nThis issue affects LibreOffice: from 24.8 before \u003c 24.8.4.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003eExposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eURLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links.\u003cbr\u003e\u003c/div\u003e\u003cp\u003eThis issue affects LibreOffice: from 24.8 before \u0026lt; 24.8.4.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"4fe7d05b-1353-44cc-8b7a-1e416936dff2\", \"shortName\": \"Document Fdn.\", \"dateUpdated\": \"2025-01-07T12:22:32.991Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-12426\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-03T20:36:39.840Z\", \"dateReserved\": \"2024-12-10T16:37:23.376Z\", \"assignerOrgId\": \"4fe7d05b-1353-44cc-8b7a-1e416936dff2\", \"datePublished\": \"2025-01-07T12:22:32.991Z\", \"assignerShortName\": \"Document Fdn.\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-X7M8-VRFV-272V

Vulnerability from github – Published: 2025-01-07 15:31 – Updated: 2025-11-03 21:32

Details

Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice.

URLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links.

This issue affects LibreOffice: from 24.8 before < 24.8.4.

Severity ?

6.7 (Medium)


                  
                    CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-12426"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-07T13:15:07Z",
    "severity": "MODERATE"
  },
  "details": "Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice.\n\n\n\n\nURLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links.\n\n\nThis issue affects LibreOffice: from 24.8 before \u003c 24.8.4.",
  "id": "GHSA-x7m8-vrfv-272v",
  "modified": "2025-11-03T21:32:04Z",
  "published": "2025-01-07T15:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12426"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00013.html"
    },
    {
      "type": "WEB",
      "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2024-12426"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

FKIE_CVE-2024-12426

Vulnerability from fkie_nvd - Published: 2025-01-07 13:15 - Updated: 2025-11-03 21:16

Severity ?

6.7 (Medium) - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Summary

References

	URL	Tags
	security@documentfoundation.org	https://www.libreoffice.org/about-us/security/advisories/cve-2024-12426
	af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2025/01/msg00013.html

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice.\n\n\n\n\nURLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links.\n\n\nThis issue affects LibreOffice: from 24.8 before \u003c 24.8.4."
    },
    {
      "lang": "es",
      "value": "Exposici\u00f3n de variables ambientales y valores arbitrarios de archivos INI a una vulnerabilidad de actor no autorizado en The Document Foundation LibreOffice. Se podr\u00edan construir URL que expandieran las variables ambientales o los valores de archivos INI, por lo que se podr\u00eda filtrar informaci\u00f3n potencialmente confidencial a un servidor remoto al abrir un documento que contenga dichos enlaces. Este problema afecta a LibreOffice: desde la versi\u00f3n 24.8 hasta la versi\u00f3n 24.8.4."
    }
  ],
  "id": "CVE-2024-12426",
  "lastModified": "2025-11-03T21:16:05.723",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.7,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security@documentfoundation.org",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-01-07T13:15:07.210",
  "references": [
    {
      "source": "security@documentfoundation.org",
      "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2024-12426"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00013.html"
    }
  ],
  "sourceIdentifier": "security@documentfoundation.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security@documentfoundation.org",
      "type": "Secondary"
    }
  ]
}

WID-SEC-W-2025-0028

Vulnerability from csaf_certbund - Published: 2025-01-07 23:00 - Updated: 2025-06-12 22:00

Summary

LibreOffice: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

LibreOffice ist eine leistungsfähige Office-Suite, voll kompatibel mit den Programmen anderer großer Office-Anbieter, für verbreitete Betriebssysteme wie Windows, GNU/Linux und Apple Mac OS X geeignet. LibreOffice bietet sechs Anwendungen für die Erstellung von Dokumenten und zur Datenverarbeitung: Writer, Calc, Impress, Draw, Base und Math.

Angriff

Ein lokaler Angreifer kann mehrere Schwachstellen in LibreOffice ausnutzen, um Dateien zu manipulieren oder Informationen offenzulegen.

Betroffene Betriebssysteme

- Linux - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "LibreOffice ist eine leistungsf\u00e4hige Office-Suite, voll kompatibel mit den Programmen anderer gro\u00dfer Office-Anbieter, f\u00fcr verbreitete Betriebssysteme wie Windows, GNU/Linux und Apple Mac OS X geeignet. LibreOffice bietet sechs Anwendungen f\u00fcr die Erstellung von Dokumenten und zur Datenverarbeitung: Writer, Calc, Impress, Draw, Base und Math.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein lokaler Angreifer kann mehrere Schwachstellen in LibreOffice ausnutzen, um Dateien zu manipulieren oder Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0028 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0028.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0028 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0028"
      },
      {
        "category": "external",
        "summary": "LibreOffice Security Advisory vom 2025-01-07",
        "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2024-12425/"
      },
      {
        "category": "external",
        "summary": "LibreOffice Security Advisory vom 2025-01-07",
        "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2024-12426/"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker vom 2025-01-07",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2336110"
      },
      {
        "category": "external",
        "summary": "Red Hat Bugtracker vom 2025-01-07",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2336117"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4020 vom 2025-01-19",
        "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00013.html"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DSA-5846 vom 2025-01-19",
        "url": "https://lists.debian.org/debian-security-announce/2025/msg00008.html"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7228-1 vom 2025-01-27",
        "url": "https://ubuntu.com/security/notices/USN-7228-1"
      },
      {
        "category": "external",
        "summary": "PoC auf GitHub vom 2025-02-17",
        "url": "https://github.com/codean-io/pocs"
      },
      {
        "category": "external",
        "summary": "Amazon Linux Security Advisory ALASLIBREOFFICE-2025-007 vom 2025-04-29",
        "url": "https://alas.aws.amazon.com/AL2/ALASLIBREOFFICE-2025-007.html"
      },
      {
        "category": "external",
        "summary": "Gentoo Linux Security Advisory GLSA-202506-03 vom 2025-06-12",
        "url": "https://security.gentoo.org/glsa/202506-03"
      }
    ],
    "source_lang": "en-US",
    "title": "LibreOffice: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-06-12T22:00:00.000+00:00",
      "generator": {
        "date": "2025-06-13T07:00:06.259+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-0028",
      "initial_release_date": "2025-01-07T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-01-07T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-01-19T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Debian aufgenommen"
        },
        {
          "date": "2025-01-27T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2025-02-17T23:00:00.000+00:00",
          "number": "4",
          "summary": "PoC aufgenommen"
        },
        {
          "date": "2025-04-29T22:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Amazon aufgenommen"
        },
        {
          "date": "2025-06-12T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von Gentoo aufgenommen"
        }
      ],
      "status": "final",
      "version": "6"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Amazon Linux 2",
            "product": {
              "name": "Amazon Linux 2",
              "product_id": "398363",
              "product_identification_helper": {
                "cpe": "cpe:/o:amazon:linux_2:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Amazon"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Gentoo Linux",
            "product": {
              "name": "Gentoo Linux",
              "product_id": "T012167",
              "product_identification_helper": {
                "cpe": "cpe:/o:gentoo:linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Gentoo"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c24.8.4",
                "product": {
                  "name": "Open Source LibreOffice \u003c24.8.4",
                  "product_id": "T040067"
                }
              },
              {
                "category": "product_version",
                "name": "24.8.4",
                "product": {
                  "name": "Open Source LibreOffice 24.8.4",
                  "product_id": "T040067-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:libreoffice:libreoffice:24.8.4"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "LibreOffice"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-12425",
      "product_status": {
        "known_affected": [
          "2951",
          "T000126",
          "398363",
          "T012167",
          "T040067"
        ]
      },
      "release_date": "2025-01-07T23:00:00.000+00:00",
      "title": "CVE-2024-12425"
    },
    {
      "cve": "CVE-2024-12426",
      "product_status": {
        "known_affected": [
          "2951",
          "T000126",
          "398363",
          "T012167",
          "T040067"
        ]
      },
      "release_date": "2025-01-07T23:00:00.000+00:00",
      "title": "CVE-2024-12426"
    }
  ]
}

CERTFR-2025-AVI-0992

Vulnerability from certfr_avis - Published: 2025-11-12 - Updated: 2025-11-12

De multiples vulnérabilités ont été découvertes dans Apache OpenOffice. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, une atteinte à la confidentialité des données et une atteinte à l'intégrité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	OpenOffice	OpenOffice	OpenOffice versions antérieures à 4.1.16

References

Title

Publication Time

Tags

Bulletin de sécurité OpenOffice CVE-2025-64404	2025-11-12	vendor-advisory
Bulletin de sécurité OpenOffice CVE-2025-64402	2025-11-12	vendor-advisory
Bulletin de sécurité OpenOffice CVE-2025-64406	2025-11-12	vendor-advisory
Bulletin de sécurité OpenOffice CVE-2025-64403	2025-11-12	vendor-advisory
Bulletin de sécurité OpenOffice CVE-2025-64401	2025-11-12	vendor-advisory
Bulletin de sécurité OpenOffice CVE-2025-64405	2025-11-12	vendor-advisory
Bulletin de sécurité OpenOffice CVE-2025-64407	2025-11-12	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "OpenOffice versions ant\u00e9rieures \u00e0 4.1.16",
      "product": {
        "name": "OpenOffice",
        "vendor": {
          "name": "OpenOffice",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-64403",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-64403"
    },
    {
      "name": "CVE-2025-64402",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-64402"
    },
    {
      "name": "CVE-2023-2255",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-2255"
    },
    {
      "name": "CVE-2024-12426",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-12426"
    },
    {
      "name": "CVE-2025-64407",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-64407"
    },
    {
      "name": "CVE-2025-64406",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-64406"
    },
    {
      "name": "CVE-2025-64401",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-64401"
    },
    {
      "name": "CVE-2025-64404",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-64404"
    },
    {
      "name": "CVE-2025-64405",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-64405"
    }
  ],
  "initial_release_date": "2025-11-12T00:00:00",
  "last_revision_date": "2025-11-12T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-0992",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-11-12T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Apache OpenOffice. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Apache OpenOffice",
  "vendor_advisories": [
    {
      "published_at": "2025-11-12",
      "title": "Bulletin de s\u00e9curit\u00e9 OpenOffice CVE-2025-64404",
      "url": "https://www.openoffice.org/security/cves/CVE-2025-64404.html"
    },
    {
      "published_at": "2025-11-12",
      "title": "Bulletin de s\u00e9curit\u00e9 OpenOffice CVE-2025-64402",
      "url": "https://www.openoffice.org/security/cves/CVE-2025-64402.html"
    },
    {
      "published_at": "2025-11-12",
      "title": "Bulletin de s\u00e9curit\u00e9 OpenOffice CVE-2025-64406",
      "url": "https://www.openoffice.org/security/cves/CVE-2025-64406.html"
    },
    {
      "published_at": "2025-11-12",
      "title": "Bulletin de s\u00e9curit\u00e9 OpenOffice CVE-2025-64403",
      "url": "https://www.openoffice.org/security/cves/CVE-2025-64403.html"
    },
    {
      "published_at": "2025-11-12",
      "title": "Bulletin de s\u00e9curit\u00e9 OpenOffice CVE-2025-64401",
      "url": "https://www.openoffice.org/security/cves/CVE-2025-64401.html"
    },
    {
      "published_at": "2025-11-12",
      "title": "Bulletin de s\u00e9curit\u00e9 OpenOffice CVE-2025-64405",
      "url": "https://www.openoffice.org/security/cves/CVE-2025-64405.html"
    },
    {
      "published_at": "2025-11-12",
      "title": "Bulletin de s\u00e9curit\u00e9 OpenOffice CVE-2025-64407",
      "url": "https://www.openoffice.org/security/cves/CVE-2025-64407.html"
    }
  ]
}

CERTFR-2025-AVI-0006

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans LibreOffice. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une atteinte à l'intégrité des données et un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Libreoffice	LibreOffice	LibreOffice versions antérieures à 24.8.4

References

Title

Publication Time

Tags

Bulletin de sécurité LibreOffice cve-2024-12426	2025-01-07	vendor-advisory
Bulletin de sécurité LibreOffice cve-2024-12425	2025-01-07	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "LibreOffice versions ant\u00e9rieures \u00e0 24.8.4",
      "product": {
        "name": "LibreOffice",
        "vendor": {
          "name": "Libreoffice",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-12425",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-12425"
    },
    {
      "name": "CVE-2024-12426",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-12426"
    }
  ],
  "links": [],
  "reference": "CERTFR-2025-AVI-0006",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-01-08T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans LibreOffice. Elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans LibreOffice",
  "vendor_advisories": [
    {
      "published_at": "2025-01-07",
      "title": "Bulletin de s\u00e9curit\u00e9 LibreOffice cve-2024-12426",
      "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2024-12426/"
    },
    {
      "published_at": "2025-01-07",
      "title": "Bulletin de s\u00e9curit\u00e9 LibreOffice cve-2024-12425",
      "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2024-12425/"
    }
  ]
}

CERTFR-2025-AVI-0992

Vulnerability from certfr_avis - Published: 2025-11-12 - Updated: 2025-11-12

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	OpenOffice	OpenOffice	OpenOffice versions antérieures à 4.1.16

References

Title

Publication Time

Tags

Bulletin de sécurité OpenOffice CVE-2025-64404	2025-11-12	vendor-advisory
Bulletin de sécurité OpenOffice CVE-2025-64402	2025-11-12	vendor-advisory
Bulletin de sécurité OpenOffice CVE-2025-64406	2025-11-12	vendor-advisory
Bulletin de sécurité OpenOffice CVE-2025-64403	2025-11-12	vendor-advisory
Bulletin de sécurité OpenOffice CVE-2025-64401	2025-11-12	vendor-advisory
Bulletin de sécurité OpenOffice CVE-2025-64405	2025-11-12	vendor-advisory
Bulletin de sécurité OpenOffice CVE-2025-64407	2025-11-12	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "OpenOffice versions ant\u00e9rieures \u00e0 4.1.16",
      "product": {
        "name": "OpenOffice",
        "vendor": {
          "name": "OpenOffice",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2025-64403",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-64403"
    },
    {
      "name": "CVE-2025-64402",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-64402"
    },
    {
      "name": "CVE-2023-2255",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-2255"
    },
    {
      "name": "CVE-2024-12426",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-12426"
    },
    {
      "name": "CVE-2025-64407",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-64407"
    },
    {
      "name": "CVE-2025-64406",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-64406"
    },
    {
      "name": "CVE-2025-64401",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-64401"
    },
    {
      "name": "CVE-2025-64404",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-64404"
    },
    {
      "name": "CVE-2025-64405",
      "url": "https://www.cve.org/CVERecord?id=CVE-2025-64405"
    }
  ],
  "initial_release_date": "2025-11-12T00:00:00",
  "last_revision_date": "2025-11-12T00:00:00",
  "links": [],
  "reference": "CERTFR-2025-AVI-0992",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-11-12T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Apache OpenOffice. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Apache OpenOffice",
  "vendor_advisories": [
    {
      "published_at": "2025-11-12",
      "title": "Bulletin de s\u00e9curit\u00e9 OpenOffice CVE-2025-64404",
      "url": "https://www.openoffice.org/security/cves/CVE-2025-64404.html"
    },
    {
      "published_at": "2025-11-12",
      "title": "Bulletin de s\u00e9curit\u00e9 OpenOffice CVE-2025-64402",
      "url": "https://www.openoffice.org/security/cves/CVE-2025-64402.html"
    },
    {
      "published_at": "2025-11-12",
      "title": "Bulletin de s\u00e9curit\u00e9 OpenOffice CVE-2025-64406",
      "url": "https://www.openoffice.org/security/cves/CVE-2025-64406.html"
    },
    {
      "published_at": "2025-11-12",
      "title": "Bulletin de s\u00e9curit\u00e9 OpenOffice CVE-2025-64403",
      "url": "https://www.openoffice.org/security/cves/CVE-2025-64403.html"
    },
    {
      "published_at": "2025-11-12",
      "title": "Bulletin de s\u00e9curit\u00e9 OpenOffice CVE-2025-64401",
      "url": "https://www.openoffice.org/security/cves/CVE-2025-64401.html"
    },
    {
      "published_at": "2025-11-12",
      "title": "Bulletin de s\u00e9curit\u00e9 OpenOffice CVE-2025-64405",
      "url": "https://www.openoffice.org/security/cves/CVE-2025-64405.html"
    },
    {
      "published_at": "2025-11-12",
      "title": "Bulletin de s\u00e9curit\u00e9 OpenOffice CVE-2025-64407",
      "url": "https://www.openoffice.org/security/cves/CVE-2025-64407.html"
    }
  ]
}

CERTFR-2025-AVI-0006

Vulnerability from certfr_avis - Published: - Updated:

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

	Vendor	Product	Description
	Libreoffice	LibreOffice	LibreOffice versions antérieures à 24.8.4

References

Title

Publication Time

Tags

Bulletin de sécurité LibreOffice cve-2024-12426	2025-01-07	vendor-advisory
Bulletin de sécurité LibreOffice cve-2024-12425	2025-01-07	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "LibreOffice versions ant\u00e9rieures \u00e0 24.8.4",
      "product": {
        "name": "LibreOffice",
        "vendor": {
          "name": "Libreoffice",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-12425",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-12425"
    },
    {
      "name": "CVE-2024-12426",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-12426"
    }
  ],
  "links": [],
  "reference": "CERTFR-2025-AVI-0006",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2025-01-08T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans LibreOffice. Elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et un contournement de la politique de s\u00e9curit\u00e9.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans LibreOffice",
  "vendor_advisories": [
    {
      "published_at": "2025-01-07",
      "title": "Bulletin de s\u00e9curit\u00e9 LibreOffice cve-2024-12426",
      "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2024-12426/"
    },
    {
      "published_at": "2025-01-07",
      "title": "Bulletin de s\u00e9curit\u00e9 LibreOffice cve-2024-12425",
      "url": "https://www.libreoffice.org/about-us/security/advisories/cve-2024-12425/"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-12426 (GCVE-0-2024-12426)

GHSA-X7M8-VRFV-272V

FKIE_CVE-2024-12426

WID-SEC-W-2025-0028

CERTFR-2025-AVI-0992

Solutions

CERTFR-2025-AVI-0006

Solutions

CERTFR-2025-AVI-0992

Solutions

CERTFR-2025-AVI-0006

Solutions

Tags

Sightings

Nomenclature