Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt will execute scripts built-into LibreOffice on clicking a graphic. Such scripts were previously deemed trusted but are now deemed untrusted.
Weakness
The product’s user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libreoffice | Libreoffice | * | 7.6.7.1 (excluding) |
| Libreoffice | Libreoffice | 24.2.0.0 (including) | 24.2.3.1 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | libreoffice-1:6.4.7.2-17.el8_10 | * |
| Red Hat Enterprise Linux 9 | RedHat | libreoffice-1:7.1.8.1-13.el9_4 | * |
| Libreoffice | Ubuntu | devel | * |
| Libreoffice | Ubuntu | esm-infra/focal | * |
| Libreoffice | Ubuntu | focal | * |
| Libreoffice | Ubuntu | jammy | * |
| Libreoffice | Ubuntu | mantic | * |
| Libreoffice | Ubuntu | noble | * |
| Libreoffice | Ubuntu | upstream | * |
References
- https://lists.debian.org/debian-lts-announce/2024/05/msg00016.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3TU3TYDXICKPYHMCNL7ARYYBXACEAYJ4/
- https://www.libreoffice.org/about-us/security/advisories/CVE-2024-3044
- https://lists.debian.org/debian-lts-announce/2024/05/msg00016.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3TU3TYDXICKPYHMCNL7ARYYBXACEAYJ4/
- https://www.libreoffice.org/about-us/security/advisories/CVE-2024-3044