CVE-2010-3450

Name of the Vulnerable Software and Affected Versions OpenOffice.org versions 2.x through 3.x prior to 3.3

Description The issue is related to multiple directory traversal vulnerabilities. These vulnerabilities allow remote attackers to add and execute commands of their choice through the use of .. (dot dot) in the site parameter to (1) "index.php" and (2) "admin.php". Additionally, attackers can overwrite arbitrary files via a .. (dot dot) in an entry in (1) an XSLT JAR filter description file, (2) an Extension (aka OXT) file, or unspecified other (3) JAR or (4) ZIP files. This could potentially allow a remote attacker to access confidential data, disrupt its integrity, and cause a denial of service.

Recommendations For OpenOffice.org versions 2.x through 3.x prior to 3.3, update to version 3.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the XSLT JAR filter and Extension (aka OXT) files until a patch is available. Avoid using the site parameter in the affected API endpoints "index.php" and "admin.php" until the issue is resolved.