CVE-2025-1080Improper Input Validation in Document Foundation Libreoffice

CWE-20Improper Input Validation7 documents7 sources
Severity
7.2HIGHNVD
EPSS
0.1%
top 69.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
THE Document Foundation LibreofficeLibreofficeDebian Linux
Timeline
PublishedMar 4
Latest updateMar 10

Description

LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice a link in a browser using that scheme could be constructed with an embedded inner URL that when passed to LibreOffice could call internal macros with arbitrary arguments. This issue affects LibreOffice: from 24.8 before < 24.8.5, from 25.2 before < 25.2.1.

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:L/VA:H/SC:H/SI:H/SA:H

Affected Packages3 packages

NVDlibreoffice/libreoffice24.8.0.024.8.5.1+1
CVEListV5the_document_foundation/libreoffice24.8< 24.8.5+1
Debianlibreoffice/libreoffice< 1:7.0.4-4+deb11u13+3

Also affects: Debian Linux 11.0

🔴Vulnerability Details

3
OSV
CVE-2025-1080: LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server2025-03-04
GHSA
GHSA-gcgr-r4x5-w79r: LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server2025-03-04
CVEList
Macro URL arbitrary script execution2025-03-04

📋Vendor Advisories

3
Ubuntu
LibreOffice vulnerability2025-03-10
Red Hat
libreoffice: Macro URL arbitrary script execution2025-03-04
Debian
CVE-2025-1080: libreoffice - LibreOffice supports Office URI Schemes to enable browser integration of LibreOf...2025
CVE-2025-1080 — Improper Input Validation | cvebase