PT-2025-16381 · Collabora · Collabora Online
Truff
·
Published
2025-04-15
·
Updated
2025-04-15
·
CVE-2025-27791
CVSS v4.0
8.3
High
| Vector | AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Collabora Online versions prior to 24.04.12.4
Collabora Online versions prior to 23.05.19
Collabora Online versions prior to 22.05.25
Description
Collabora Online is a collaborative online office suite based on LibreOffice technology. A path traversal flaw exists in handling the
BaseFileName field returned from WOPI servers, allowing a file to be written anywhere the uid running Collabora Online can write if a malicious response is supplied by a WOPI server. This issue can be combined with a Time of Check, Time of Use DNS lookup issue with a WOPI server address under attacker control, enabling the presentation of such a response to be processed by a Collabora Online instance.Recommendations
For versions prior to 24.04.12.4, update to version 24.04.13.1 or later.
For versions prior to 23.05.19, update to version 23.05.19 or later.
For versions prior to 22.05.25, update to version 22.05.25 or later.
As a temporary workaround, consider restricting access to the WOPI server integration until a patch is applied.
Exploit
Fix
Relative Path Traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Collabora Online