CVE-2014-3524 — Command Injection in Apache Openoffice

CWE-77 — Command Injection8 documents8 sources

Severity

9.3CRITICALNVD

EPSS

10.7%

top 6.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Openoffice Libreoffice

Timeline

PublishedAug 26

Latest updateJan 4

Description

Apache OpenOffice before 4.1.1 allows remote attackers to execute arbitrary commands and possibly have other unspecified impact via a crafted Calc spreadsheet.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages3 packages

▶NVDapache/openoffice< 4.1.1

▶NVDlibreoffice/libreoffice4.3.0 — 4.3.1+1

▶Ubuntulibreoffice/libreoffice< 1:4.2.6.3-0ubuntu1

🔴Vulnerability Details

GHSA

GHSA-7h2p-mc8p-mxwq: Apache OpenOffice before 4↗2022-05-13

▶

CVEList

CVE-2014-3524: Apache OpenOffice before 4↗2014-08-26

▶

OSV

CVE-2014-3524: Apache OpenOffice before 4↗2014-08-26

▶

📋Vendor Advisories

Ubuntu

LibreOffice vulnerability↗2014-09-02

▶

Red Hat

libreoffice/openoffice.org: CSV command injection and DDE formulas↗2014-08-21

▶

💬Community

HackerOne

CSV Injection at https://assets-paris-demo.codefi.network/↗2023-01-04

▶

Bugzilla

CVE-2014-3524 libreoffice/openoffice.org: CSV command injection and DDE formulas↗2014-08-27

▶