CVE-2024-3044
published 2024-05-14CVE-2024-3044: Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt will…
PriorityP335medium6.5CVSS 3.1
AVNACLPRNUINSUCNILAL
EPSS
1.01%
58.7th percentile
Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt will execute scripts built-into LibreOffice on clicking a graphic. Such scripts were previously deemed trusted but are now deemed untrusted.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | libreoffice | < libreoffice 4:7.4.7-1+deb12u2 (bookworm) | libreoffice 4:7.4.7-1+deb12u2 (bookworm) |
| fedoraproject | fedora | — | — |
| libreoffice | libreoffice | < 7.6.7.1 | 7.6.7.1 |
| libreoffice | libreoffice | >= 0 < 1:7.0.4-4+deb11u9 | 1:7.0.4-4+deb11u9 |
| libreoffice | libreoffice | >= 0 < 4:7.4.7-1+deb12u2 | 4:7.4.7-1+deb12u2 |
| libreoffice | libreoffice | >= 0 < 4:24.2.3~rc1-2 | 4:24.2.3~rc1-2 |
| libreoffice | libreoffice | >= 0 < 4:24.2.3~rc1-2 | 4:24.2.3~rc1-2 |
| libreoffice | libreoffice | >= 24.2.0.0 < 24.2.3.1 | 24.2.3.1 |
| the_document_foundation | libreoffice | >= 24.2 < 24.2.3 | 24.2.3 |
| the_document_foundation | libreoffice | >= 7.6 < 7.6.7 | 7.6.7 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
LibreOffice vulnerability
vendor_ubuntu·2024-05-28
CVE-2024-3044 LibreOffice vulnerability
Title: LibreOffice vulnerability
Summary: LibreOffice could be made to run programs when clicking a graphic.
Amel Bouziane-Leblond discovered that LibreOffice incorrectly handled
graphic on-click bindings. If a user were tricked into clicking a graphic
in a specially crafted document, a remote attacker could possibly run
arbitrary script.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
libreoffice: create a document which without prompt will execute scripts built-into LibreOffice on clicking a graphic
vendor_redhat·2024-05-14·CVSS 6.5
CVE-2024-3044 [MEDIUM] CWE-20 libreoffice: create a document which without prompt will execute scripts built-into LibreOffice on clicking a graphic
libreoffice: create a document which without prompt will execute scripts built-into LibreOffice on clicking a graphic
Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt will execute scripts built-into LibreOffice on clicking a graphic. Such scripts were previously deemed trusted but are now deemed untrusted.
A flaw was found in LibreOffice. Unchecked script execution in graphic on-click binding allows an attacker to create a document, which, without a prompt, will execute scripts built into LibreOffice when clicking a graphic. These scripts were previously deemed trusted but are now deemed untrusted.
Statement: CVE-2024-3044 poses a Moderate severity risk due to its potential to enable unau
Debian
CVE-2024-3044: libreoffice - Unchecked script execution in Graphic on-click binding in affected LibreOffice v...
vendor_debian·2024·CVSS 6.5
CVE-2024-3044 [MEDIUM] CVE-2024-3044: libreoffice - Unchecked script execution in Graphic on-click binding in affected LibreOffice v...
Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt will execute scripts built-into LibreOffice on clicking a graphic. Such scripts were previously deemed trusted but are now deemed untrusted.
Scope: local
bookworm: resolved (fixed in 4:7.4.7-1+deb12u2)
bullseye: resolved (fixed in 1:7.0.4-4+deb11u9)
forky: resolved (fixed in 4:24.2.3~rc1-2)
sid: resolved (fixed in 4:24.2.3~rc1-2)
trixie: resolved (fixed in 4:24.2.3~rc1-2)
GHSA
GHSA-3j7w-h2jh-289j: Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt w
ghsa_unreviewed·2024-05-14
CVE-2024-3044 [MEDIUM] CWE-20 GHSA-3j7w-h2jh-289j: Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt w
Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt will execute scripts built-into LibreOffice on clicking a graphic. Such scripts were previously deemed trusted but are now deemed untrusted.
OSV
CVE-2024-3044: Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt w
osv·2024-05-14·CVSS 6.5
CVE-2024-3044 [MEDIUM] CVE-2024-3044: Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt w
Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt will execute scripts built-into LibreOffice on clicking a graphic. Such scripts were previously deemed trusted but are now deemed untrusted.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://lists.debian.org/debian-lts-announce/2024/05/msg00016.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/3TU3TYDXICKPYHMCNL7ARYYBXACEAYJ4/https://www.libreoffice.org/about-us/security/advisories/CVE-2024-3044https://lists.debian.org/debian-lts-announce/2024/05/msg00016.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/3TU3TYDXICKPYHMCNL7ARYYBXACEAYJ4/https://www.libreoffice.org/about-us/security/advisories/CVE-2024-3044
2024-05-14
Published