CVE-2024-12426

CVSS v4.0

6.7

Medium

Vector

AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions LibreOffice versions 24.8 through 24.8.3

Description The issue is related to insufficient protection of internal data in LibreOffice, allowing an unauthorized actor to potentially disclose sensitive information. Specifically, URLs could be constructed to expand environmental variables or INI file values, leading to the exfiltration of potentially sensitive information to a remote server when opening a document containing such links.

Recommendations For LibreOffice versions 24.8 through 24.8.3, update to version 24.8.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of URLs that could expand environmental variables or INI file values in documents until a patch is applied. Avoid using links that could potentially disclose sensitive information in documents until the issue is resolved.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

ALT-PU-2025-2262

ALT-PU-2025-4604

BDU:2025-00554

CVE-2024-12426

DLA-4020-1

DSA-5846-1

MGASA-2025-0035

USN-7228-1

Affected Products

Alt Linux

Astra Linux

Libreoffice

Linuxmint

Red Os

Ubuntu

CVE-2024-12426

Weakness Enumeration

Related Identifiers

Affected Products

References · 49