Openoffice
by Apache
Source repositories
CVEs (61)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-64404 | 0.00 | — | 0.01 | Nov 12, 2025 | Apache OpenOffice documents can contain links to other files. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, documents… | |||
| CVE-2025-64403 | 0.00 | — | 0.01 | Nov 12, 2025 | Apache OpenOffice Calc spreadsheet can contain links to other files, in the form of "external data sources". A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause such links to be loaded without prompt. This issue… | |||
| CVE-2025-64402 | 0.00 | — | 0.00 | Nov 12, 2025 | Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, documents that used "OLE… | |||
| CVE-2025-64401 | 0.00 | — | 0.01 | Nov 12, 2025 | Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, documents that used… | |||
| CVE-2023-47804 | 0.00 | — | 0.03 | Dec 29, 2023 | Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Several URI Schemes are defined for this purpose. Links can be activated by clicks, or by automatic document events. The execution of such links must be subject to user approval. … | |||
| CVE-2022-47502 | 0.00 | — | 0.01 | Mar 24, 2023 | Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Several URI Schemes are defined for this purpose. Links can be activated by clicks, or by automatic document events. The execution of such links must be subject to user approval.… | |||
| CVE-2022-38745 | 0.00 | — | 0.01 | Mar 24, 2023 | Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory. | |||
| CVE-2022-37401 | 0.00 | — | 0.01 | Aug 13, 2022 | Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening… | |||
| CVE-2022-37400 | 0.00 | — | 0.01 | Aug 13, 2022 | Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption… | |||
| CVE-2021-41832 | 0.00 | — | 0.01 | Oct 11, 2021 | It is possible for an attacker to manipulate documents to appear to be signed by a trusted source. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25635 for the LibreOffice advisory. | |||
| CVE-2021-41831 | 0.00 | — | 0.01 | Oct 11, 2021 | It is possible for an attacker to manipulate the timestamp of signed documents. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25634 for the LibreOffice advisory. | |||
| CVE-2021-41830 | 0.00 | — | 0.01 | Oct 11, 2021 | It is possible for an attacker to manipulate signed documents and macros to appear to come from a trusted source. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25633 for the LibreOffice advisory. | |||
| CVE-2021-40439 | 0.00 | — | 0.03 | Oct 7, 2021 | Apache OpenOffice has a dependency on expat software. Versions prior to 2.1.0 were subject to CVE-2013-0340 a "Billion Laughs" entity expansion denial of service attack and exploit via crafted XML files. ODF files consist of a set of XML files. All versions of Apache OpenOffice… | |||
| CVE-2021-28129 | 0.00 | — | 0.01 | Oct 7, 2021 | While working on Apache OpenOffice 4.1.8 a developer discovered that the DEB package did not install using root, but instead used a userid and groupid of 500. This both caused issues with desktop integration and could allow a crafted attack on files owned by that user or group… | |||
| CVE-2021-30245 | 0.00 | — | 0.05 | Apr 15, 2021 | The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is… | |||
| CVE-2020-13958 | 0.00 | — | 0.03 | Nov 17, 2020 | A vulnerability in Apache OpenOffice scripting events allows an attacker to construct documents containing hyperlinks pointing to an executable on the target users file system. These hyperlinks can be triggered unconditionally. In fixed versions no internal protocol may be… | |||
| CVE-2018-11790 | 0.00 | — | 0.01 | Jan 31, 2019 | When loading a document with Apache Open Office 4.1.5 and earlier with smaller end line termination than the operating system uses, the defect occurs. In this case OpenOffice runs into an Arithmetic Overflow at a string length calculation. | |||
| CVE-2013-4156 | 0.00 | — | 0.04 | Jul 31, 2013 | Apache OpenOffice.org (OOo) before 4.0 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted element in an OOXML document file. | |||
| CVE-2013-2189 | 0.00 | — | 0.04 | Jul 31, 2013 | Apache OpenOffice.org (OOo) before 4.0 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via invalid PLCF data in a DOC document file. | |||
| CVE-2010-3689 | 0.00 | — | 0.01 | Jan 28, 2011 | soffice in OpenOffice.org (OOo) 3.x before 3.3 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory. |
- CVE-2025-64404Nov 12, 2025risk 0.00cvss —epss 0.01
Apache OpenOffice documents can contain links to other files. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, documents…
- CVE-2025-64403Nov 12, 2025risk 0.00cvss —epss 0.01
Apache OpenOffice Calc spreadsheet can contain links to other files, in the form of "external data sources". A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause such links to be loaded without prompt. This issue…
- CVE-2025-64402Nov 12, 2025risk 0.00cvss —epss 0.00
Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, documents that used "OLE…
- CVE-2025-64401Nov 12, 2025risk 0.00cvss —epss 0.01
Apache OpenOffice documents can contain links. A missing Authorization vulnerability in Apache OpenOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of Apache OpenOffice, documents that used…
- CVE-2023-47804Dec 29, 2023risk 0.00cvss —epss 0.03
Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Several URI Schemes are defined for this purpose. Links can be activated by clicks, or by automatic document events. The execution of such links must be subject to user approval. …
- CVE-2022-47502Mar 24, 2023risk 0.00cvss —epss 0.01
Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Several URI Schemes are defined for this purpose. Links can be activated by clicks, or by automatic document events. The execution of such links must be subject to user approval.…
- CVE-2022-38745Mar 24, 2023risk 0.00cvss —epss 0.01
Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory.
- CVE-2022-37401Aug 13, 2022risk 0.00cvss —epss 0.01
Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key was poorly encoded resulting in weakening…
- CVE-2022-37400Aug 13, 2022risk 0.00cvss —epss 0.01
Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required initialization vector for encryption…
- CVE-2021-41832Oct 11, 2021risk 0.00cvss —epss 0.01
It is possible for an attacker to manipulate documents to appear to be signed by a trusted source. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25635 for the LibreOffice advisory.
- CVE-2021-41831Oct 11, 2021risk 0.00cvss —epss 0.01
It is possible for an attacker to manipulate the timestamp of signed documents. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25634 for the LibreOffice advisory.
- CVE-2021-41830Oct 11, 2021risk 0.00cvss —epss 0.01
It is possible for an attacker to manipulate signed documents and macros to appear to come from a trusted source. All versions of Apache OpenOffice up to 4.1.10 are affected. Users are advised to update to version 4.1.11. See CVE-2021-25633 for the LibreOffice advisory.
- CVE-2021-40439Oct 7, 2021risk 0.00cvss —epss 0.03
Apache OpenOffice has a dependency on expat software. Versions prior to 2.1.0 were subject to CVE-2013-0340 a "Billion Laughs" entity expansion denial of service attack and exploit via crafted XML files. ODF files consist of a set of XML files. All versions of Apache OpenOffice…
- CVE-2021-28129Oct 7, 2021risk 0.00cvss —epss 0.01
While working on Apache OpenOffice 4.1.8 a developer discovered that the DEB package did not install using root, but instead used a userid and groupid of 500. This both caused issues with desktop integration and could allow a crafted attack on files owned by that user or group…
- CVE-2021-30245Apr 15, 2021risk 0.00cvss —epss 0.05
The project received a report that all versions of Apache OpenOffice through 4.1.8 can open non-http(s) hyperlinks. The problem has existed since about 2006 and the issue is also in 4.1.9. If the link is specifically crafted this could lead to untrusted code execution. It is…
- CVE-2020-13958Nov 17, 2020risk 0.00cvss —epss 0.03
A vulnerability in Apache OpenOffice scripting events allows an attacker to construct documents containing hyperlinks pointing to an executable on the target users file system. These hyperlinks can be triggered unconditionally. In fixed versions no internal protocol may be…
- CVE-2018-11790Jan 31, 2019risk 0.00cvss —epss 0.01
When loading a document with Apache Open Office 4.1.5 and earlier with smaller end line termination than the operating system uses, the defect occurs. In this case OpenOffice runs into an Arithmetic Overflow at a string length calculation.
- CVE-2013-4156Jul 31, 2013risk 0.00cvss —epss 0.04
Apache OpenOffice.org (OOo) before 4.0 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted element in an OOXML document file.
- CVE-2013-2189Jul 31, 2013risk 0.00cvss —epss 0.04
Apache OpenOffice.org (OOo) before 4.0 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via invalid PLCF data in a DOC document file.
- CVE-2010-3689Jan 28, 2011risk 0.00cvss —epss 0.01
soffice in OpenOffice.org (OOo) 3.x before 3.3 places a zero-length directory name in the LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan horse shared library in the current working directory.
Page 3 of 4