CVE-2025-64407

CWE-201CWE-862Missing Authorization3 documents3 sources
Severity
5.3MEDIUM
EPSS
0.1%
top 68.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache OpenofficeApache Software Foundation Apache Openoffice
Timeline
PublishedNov 12

Description

Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. Such links could also be used to transmit system information, such as environment variables or configuration settings. In the affected versions of Apache OpenOffice, documents that used a certain URI scheme linking to external files would load the contents of such files without prompting the

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDapache/openoffice< 4.1.16

🔴Vulnerability Details

2
GHSA
GHSA-wgcp-cg6f-7679: Apache OpenOffice documents can contain links2025-11-12
CVEList
Apache OpenOffice: URL fetching can be used to exfiltrate arbitrary INI file values and environment variables2025-11-12
CVE-2025-64407 (MEDIUM CVSS 5.3) | Apache OpenOffice documents can con | cvebase.io