CVE-2023-2255

Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used "floating frames" linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Document Fdn.CNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
VendorProductVersion
libreofficelibreoffice
7.4.0 ≤
𝑥
< 7.4.7
libreofficelibreoffice
7.5.0 ≤
𝑥
< 7.5.3
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libreoffice
bullseye
1:7.0.4-4+deb11u10
fixed
bullseye (security)
1:7.0.4-4+deb11u11
fixed
bookworm
4:7.4.7-1+deb12u5
fixed
bookworm (security)
4:7.4.7-1+deb12u5
fixed
sid
4:24.8.4-1
fixed
trixie
4:24.8.4-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libreoffice
lunar
Fixed 4:7.5.3-0ubuntu0.23.04.1
released
kinetic
Fixed 1:7.4.7-0ubuntu0.22.10.1
released
jammy
Fixed 1:7.3.7-0ubuntu0.22.04.3
released
focal
Fixed 1:6.4.7-0ubuntu0.20.04.8
released
bionic
ignored
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
https://lists.debian.org/debian-lts-announce/2023/08/msg00014.html
https://security.gentoo.org/glsa/202311-15
https://www.debian.org/security/2023/dsa-5415
https://www.libreoffice.org/about-us/security/advisories/CVE-2023-2255
https://lists.debian.org/debian-lts-announce/2023/08/msg00014.html
https://security.gentoo.org/glsa/202311-15
https://www.debian.org/security/2023/dsa-5415
https://www.libreoffice.org/about-us/security/advisories/CVE-2023-2255