CVE-2023-2255

CWE-2649 documents8 sources
Severity
5.3MEDIUM
EPSS
49.1%
top 2.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
THE Document Foundation LibreofficeLibreoffice LibreofficeApache Software Foundation Apache Openoffice+1 more
Timeline
PublishedMay 25
Latest updateJun 7

Description

Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used "floating frames" linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Found

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

CVEListV5the_document_foundation/libreoffice7.47.4.7+1
NVDlibreoffice/libreoffice7.4.07.4.7+1
Debianlibreoffice< 1:7.0.4-4+deb11u7+3

Also affects: Debian Linux 11.0

🔴Vulnerability Details

4
OSV
libreoffice vulnerabilities2023-06-07
GHSA
GHSA-6pmq-j4m3-q2r8: Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external2023-05-25
CVEList
Remote documents loaded without prompt via IFrame2023-05-25
OSV
CVE-2023-2255: Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external2023-05-25

📋Vendor Advisories

3
Ubuntu
LibreOffice vulnerabilities2023-06-07
Red Hat
libreoffice: Remote documents loaded without prompt via IFrame2023-05-25
Debian
CVE-2023-2255: libreoffice - Improper access control in editor components of The Document Foundation LibreOff...2023

📄Research Papers

1
CTF
Mailing / README
CVE-2023-2255 (MEDIUM CVSS 5.3) | Improper access control in editor c | cvebase.io