PT-2020-3350 · Document Foundation+8 · Libreoffice+8

Published

2020-06-08

·

Updated

2024-06-15

·

CVE-2020-12803

CVSS v2.0

7.1

High

VectorAV:N/AC:M/Au:N/C:N/I:C/A:N
Name of the Vulnerable Software and Affected Versions LibreOffice versions prior to 6.4.4
Description The issue is related to a form submission feature in ODF documents, which can be used to submit data to a URI, such as an external web server. Prior to version 6.4.4, LibreOffice allowed forms to be submitted to any URI, including file: URIs, enabling form submissions to overwrite local files. User-interaction is required to submit the form. To avoid the possibility of malicious documents, this feature has now been limited to http[s] URIs, removing the possibility to overwrite local files.
Recommendations For LibreOffice versions prior to 6.4.4, update to version 6.4.4 or later to limit form submissions to http[s] URIs and prevent the possibility of overwriting local files. As a temporary workaround, consider disabling form submissions to file: URIs to minimize the risk of exploitation. Restrict access to sensitive local files to prevent potential data integrity issues.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALSA-2020:4628
ALT-PU-2020-2512
ALT-PU-2020-2609
ALT-PU-2020-2699
ALT-PU-2020-3097
BDU:2020-03673
CESA-2020_4628
CVE-2020-12803
DLA-3703-1
OPENSUSE-SU-2020:1222-1
OPENSUSE-SU-2020:1261-1
OPENSUSE-SU-2020_1222-1
OPENSUSE-SU-2020_1261-1
OPENSUSE-SU-2024:10983-1
RHSA-2020:4628
RHSA-2020_4628
RLSA-2020:4628
SUSE-SU-2020:2217-1
SUSE-SU-2020:2235-1
SUSE-SU-2020:2283-1
USN-5694-1

Affected Products

Alt Linux
Almalinux
Centos
Libreoffice
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu