2210185 – (CVE-2023-2255) CVE-2023-2255 libreoffice: Remote documents loaded without prompt via IFrame

Bug 2210185 (CVE-2023-2255) - CVE-2023-2255 libreoffice: Remote documents loaded without prompt via IFrame

Summary: CVE-2023-2255 libreoffice: Remote documents loaded without prompt via IFrame

Keywords:
Status:	NEW
Alias:	CVE-2023-2255
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2210189 2210190 2210195 2210196 2210197 2210198
Blocks:	2210116
TreeView+	depends on / blocked

Reported:	2023-05-26 04:19 UTC by Sandipan Roy
Modified:	2023-11-14 15:16 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in LibreOffice. Improper access control in the editor components of The Document Foundation in LibreOffice allows an attacker to craft a document that causes external links to load without a prompt. In the affected versions of LibreOffice documents that used "floating frames" linked to external files, they would load the contents of those frames without prompting the user for permission. This action was inconsistent with the treatment of other linked content in LibreOffice.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:6508	0	None	None	None	2023-11-07 08:18:26 UTC
Red Hat Product Errata	RHSA-2023:6933	0	None	None	None	2023-11-14 15:16:17 UTC

Description Sandipan Roy 2023-05-26 04:19:36 UTC

Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used "floating frames" linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3.

https://www.libreoffice.org/about-us/security/advisories/CVE-2023-2255

Comment 1 Sandipan Roy 2023-05-26 04:32:14 UTC

Created libreoffice tracking bugs for this issue:

Affects: fedora-37 [bug 2210189]
Affects: fedora-38 [bug 2210190]

Comment 4 errata-xmlrpc 2023-11-07 08:18:26 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6508 https://access.redhat.com/errata/RHSA-2023:6508

Comment 5 errata-xmlrpc 2023-11-14 15:16:16 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6933 https://access.redhat.com/errata/RHSA-2023:6933

Note You need to log in before you can comment on or make changes to this bug.