PT-2025-9990 · Collabora · Collabora Online
Icare1337
·
Published
2025-03-06
·
Updated
2025-03-07
·
CVE-2025-24796
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Collabora Online versions prior to 22.05.25
Collabora Online versions prior to 23.05.19
Collabora Online versions prior to 24.04.12.4
Description
The issue concerns Collabora Online, a collaborative online office suite based on LibreOffice. By default, macro support is disabled, but administrators can enable it. When macros are enabled, they can run executable binaries, potentially allowing the installation and execution of arbitrary binaries within a restricted environment. This could be used to bypass network access limits and provide a platform for further exploitation attempts.
Recommendations
For versions prior to 22.05.25, update to version 22.05.25 or later to resolve the issue.
For versions prior to 23.05.19, update to version 23.05.19 or later to resolve the issue.
For versions prior to 24.04.12.4, update to version 24.04.12.4 or later to resolve the issue.
As a temporary workaround, consider disabling macro support in Collabora Online until a patch is available.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Collabora Online