CVE-2023-6186Improper Preservation of Permissions in Document Foundation Libreoffice

CWE-281Improper Preservation of PermissionsCWE-250Execution with Unnecessary Privileges10 documents7 sources
Severity
8.8HIGHNVD
CNA8.3
EPSS
1.3%
top 20.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
THE Document Foundation LibreofficeLibreofficeDebian Linux+1 more
Timeline
PublishedDec 11
Latest updateDec 14

Description

Insufficient macro permission validation of The Document Foundation LibreOffice allows an attacker to execute built-in macros without warning. In affected versions LibreOffice supports hyperlinks with macro or similar built-in command targets that can be executed when activated without warning the user.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

CVEListV5the_document_foundation/libreoffice7.57.5.9+1
NVDlibreoffice/libreoffice7.5.07.5.9+1
Debianlibreoffice/libreoffice< 1:7.0.4-4+deb11u8+3

Also affects: Debian Linux 11.0, 12.0, Fedora 38

🔴Vulnerability Details

5
OSV
libreoffice vulnerabilities2023-12-14
CVEList
Link targets allow arbitrary script execution2023-12-11
GHSA
GHSA-q565-g228-cgg3: Insufficient macro permission validation of The Document Foundation LibreOffice allows an attacker to execute built-in macros without warning2023-12-11
OSV
CVE-2023-6186: Insufficient macro permission validation of The Document Foundation LibreOffice allows an attacker to execute built-in macros without warning2023-12-11
OSV
libreoffice vulnerabilities2023-12-11

📋Vendor Advisories

4
Ubuntu
LibreOffice vulnerabilities2023-12-14
Ubuntu
LibreOffice vulnerabilities2023-12-11
Red Hat
libreoffice: Insufficient macro permission validation leading to macro execution2023-12-11
Debian
CVE-2023-6186: libreoffice - Insufficient macro permission validation of The Document Foundation LibreOffice ...2023
CVE-2023-6186 — Improper Preservation of Permissions | cvebase