rpm package
opensuse/libreoffice&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/libreoffice&distro=openSUSE%20Tumbleweed
Vulnerabilities (43)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-5261 | — | < 24.2.5.2-1.1 | 24.2.5.2-1.1 | Jun 25, 2024 | Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification LibreOfficeKit can be used for accessing LibreOffice functionality through C/C++. Typically this is used by third party components to reuse LibreOffice as | ||
| CVE-2022-3140 | — | < 7.4.2.3-1.1 | 7.4.2.3-1.1 | Oct 11, 2022 | LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice links using that scheme could be constructed t | ||
| CVE-2022-26307 | — | < 7.4.2.3-1.1 | 7.4.2.3-1.1 | Jul 25, 2022 | LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its e | ||
| CVE-2022-26305 | — | < 7.4.2.3-1.1 | 7.4.2.3-1.1 | Jul 25, 2022 | An Improper Certificate Validation vulnerability in LibreOffice existed where determining if a macro was signed by a trusted author was done by only matching the serial number and issuer string of the used certificate with that of a trusted certificate. This is not sufficient to | ||
| CVE-2020-12803 | — | < 7.1.5.2-3.13 | 7.1.5.2-3.13 | Jun 8, 2020 | ODF documents can contain forms to be filled out by the user. Similar to HTML forms, the contained form data can be submitted to a URI, for example, to an external web server. To create submittable forms, ODF implements the XForms W3C standard, which allows data to be submitted w | ||
| CVE-2020-12802 | — | < 7.1.5.2-3.13 | 7.1.5.2-3.13 | Jun 8, 2020 | LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a documen | ||
| CVE-2020-12801 | — | < 7.1.5.2-3.13 | 7.1.5.2-3.13 | May 18, 2020 | If LibreOffice has an encrypted document open and crashes, that document is auto-saved encrypted. On restart, LibreOffice offers to restore the document and prompts for the password to decrypt it. If the recovery is successful, and if the file format of the recovered document was | ||
| CVE-2019-9853 | — | < 7.1.5.2-3.13 | 7.1.5.2-3.13 | Sep 27, 2019 | LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categori | ||
| CVE-2019-9855 | — | < 7.1.5.2-3.13 | 7.1.5.2-3.13 | Sep 6, 2019 | LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be | ||
| CVE-2019-9854 | — | < 7.1.5.2-3.13 | 7.1.5.2-3.13 | Sep 6, 2019 | LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of th | ||
| CVE-2019-9851 | — | < 7.1.5.2-3.13 | 7.1.5.2-3.13 | Aug 15, 2019 | LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document eve | ||
| CVE-2019-9850 | — | < 7.1.5.2-3.13 | 7.1.5.2-3.13 | Aug 15, 2019 | LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be | ||
| CVE-2019-9848 | — | < 7.1.5.2-3.13 | 7.1.5.2-3.13 | Jul 17, 2019 | LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into e | ||
| CVE-2018-16858 | — | < 7.1.5.2-3.13 | 7.1.5.2-3.13 | Mar 25, 2019 | It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a document, which when opened by LibreOffice, would execute a Python metho | ||
| CVE-2018-10583 | — | < 7.1.5.2-3.13 | 7.1.5.2-3.13 | May 1, 2018 | An information disclosure vulnerability occurs when LibreOffice 6.0.3 and Apache OpenOffice Writer 4.1.5 automatically process and initiate an SMB connection embedded in a malicious file, as demonstrated by xlink:href=file://192.168.0.2/test.jpg within an office:document-content | ||
| CVE-2018-10120 | — | < 7.1.5.2-3.13 | 7.1.5.2-3.13 | Apr 15, 2018 | The SwCTBWrapper::Read function in sw/source/filter/ww8/ww8toolbar.cxx in LibreOffice before 5.4.6.1 and 6.x before 6.0.2.1 does not validate a customizations index, which allows remote attackers to cause a denial of service (heap-based buffer overflow with write access) or possi | ||
| CVE-2018-10119 | — | < 7.1.5.2-3.13 | 7.1.5.2-3.13 | Apr 15, 2018 | sot/source/sdstor/stgstrms.cxx in LibreOffice before 5.4.5.1 and 6.x before 6.0.1.1 uses an incorrect integer data type in the StgSmallStrm class, which allows remote attackers to cause a denial of service (use-after-free with write access) or possibly have unspecified other impa | ||
| CVE-2017-3157 | Med | 5.5 | < 7.1.5.2-3.13 | 7.1.5.2-3.13 | Nov 20, 2017 | By exploiting the way Apache OpenOffice before 4.1.4 renders embedded objects, an attacker could craft a document that allows reading in a file from the user's filesystem. Information could be retrieved by the attacker by, e.g., using hidden sections to store the information, tri | |
| CVE-2017-8358 | Cri | 9.8 | < 7.1.5.2-3.13 | 7.1.5.2-3.13 | Apr 30, 2017 | LibreOffice before 2017-03-17 has an out-of-bounds write caused by a heap-based buffer overflow related to the ReadJPEG function in vcl/source/filter/jpeg/jpegc.cxx. | |
| CVE-2017-7882 | Cri | 9.8 | < 7.1.5.2-3.13 | 7.1.5.2-3.13 | Apr 15, 2017 | LibreOffice before 2017-03-14 has an out-of-bounds write related to the HWPFile::TagsRead function in hwpfilter/source/hwpfile.cxx. |
- CVE-2024-5261Jun 25, 2024affected < 24.2.5.2-1.1fixed 24.2.5.2-1.1
Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification LibreOfficeKit can be used for accessing LibreOffice functionality through C/C++. Typically this is used by third party components to reuse LibreOffice as
- CVE-2022-3140Oct 11, 2022affected < 7.4.2.3-1.1fixed 7.4.2.3-1.1
LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice links using that scheme could be constructed t
- CVE-2022-26307Jul 25, 2022affected < 7.4.2.3-1.1fixed 7.4.2.3-1.1
LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where master key was poorly encoded resulting in weakening its e
- CVE-2022-26305Jul 25, 2022affected < 7.4.2.3-1.1fixed 7.4.2.3-1.1
An Improper Certificate Validation vulnerability in LibreOffice existed where determining if a macro was signed by a trusted author was done by only matching the serial number and issuer string of the used certificate with that of a trusted certificate. This is not sufficient to
- CVE-2020-12803Jun 8, 2020affected < 7.1.5.2-3.13fixed 7.1.5.2-3.13
ODF documents can contain forms to be filled out by the user. Similar to HTML forms, the contained form data can be submitted to a URI, for example, to an external web server. To create submittable forms, ODF implements the XForms W3C standard, which allows data to be submitted w
- CVE-2020-12802Jun 8, 2020affected < 7.1.5.2-3.13fixed 7.1.5.2-3.13
LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a documen
- CVE-2020-12801May 18, 2020affected < 7.1.5.2-3.13fixed 7.1.5.2-3.13
If LibreOffice has an encrypted document open and crashes, that document is auto-saved encrypted. On restart, LibreOffice offers to restore the document and prompts for the password to decrypt it. If the recovery is successful, and if the file format of the recovered document was
- CVE-2019-9853Sep 27, 2019affected < 7.1.5.2-3.13fixed 7.1.5.2-3.13
LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categori
- CVE-2019-9855Sep 6, 2019affected < 7.1.5.2-3.13fixed 7.1.5.2-3.13
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be
- CVE-2019-9854Sep 6, 2019affected < 7.1.5.2-3.13fixed 7.1.5.2-3.13
LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of th
- CVE-2019-9851Aug 15, 2019affected < 7.1.5.2-3.13fixed 7.1.5.2-3.13
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from document eve
- CVE-2019-9850Aug 15, 2019affected < 7.1.5.2-3.13fixed 7.1.5.2-3.13
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be
- CVE-2019-9848Jul 17, 2019affected < 7.1.5.2-3.13fixed 7.1.5.2-3.13
LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into e
- CVE-2018-16858Mar 25, 2019affected < 7.1.5.2-3.13fixed 7.1.5.2-3.13
It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a document, which when opened by LibreOffice, would execute a Python metho
- CVE-2018-10583May 1, 2018affected < 7.1.5.2-3.13fixed 7.1.5.2-3.13
An information disclosure vulnerability occurs when LibreOffice 6.0.3 and Apache OpenOffice Writer 4.1.5 automatically process and initiate an SMB connection embedded in a malicious file, as demonstrated by xlink:href=file://192.168.0.2/test.jpg within an office:document-content
- CVE-2018-10120Apr 15, 2018affected < 7.1.5.2-3.13fixed 7.1.5.2-3.13
The SwCTBWrapper::Read function in sw/source/filter/ww8/ww8toolbar.cxx in LibreOffice before 5.4.6.1 and 6.x before 6.0.2.1 does not validate a customizations index, which allows remote attackers to cause a denial of service (heap-based buffer overflow with write access) or possi
- CVE-2018-10119Apr 15, 2018affected < 7.1.5.2-3.13fixed 7.1.5.2-3.13
sot/source/sdstor/stgstrms.cxx in LibreOffice before 5.4.5.1 and 6.x before 6.0.1.1 uses an incorrect integer data type in the StgSmallStrm class, which allows remote attackers to cause a denial of service (use-after-free with write access) or possibly have unspecified other impa
- affected < 7.1.5.2-3.13fixed 7.1.5.2-3.13
By exploiting the way Apache OpenOffice before 4.1.4 renders embedded objects, an attacker could craft a document that allows reading in a file from the user's filesystem. Information could be retrieved by the attacker by, e.g., using hidden sections to store the information, tri
- affected < 7.1.5.2-3.13fixed 7.1.5.2-3.13
LibreOffice before 2017-03-17 has an out-of-bounds write caused by a heap-based buffer overflow related to the ReadJPEG function in vcl/source/filter/jpeg/jpegc.cxx.
- affected < 7.1.5.2-3.13fixed 7.1.5.2-3.13
LibreOffice before 2017-03-14 has an out-of-bounds write related to the HWPFile::TagsRead function in hwpfilter/source/hwpfile.cxx.
Page 1 of 3