Prior to version 6.4.4 LibreOffice allowed forms to be submitted to any URI, including file: URIs, enabling form submissions to overwrite local files.
Created libreoffice tracking bugs for this issue:
Affects: fedora-all [bug 1848347]
The Open Document Format (ODF) XForms support in LibreOffice allowed users to create W3C XForms style forms and specify as the "form action," a local file with file:///filepathhere as a location to save form data. This allowed for specially crafted forms to be created which could overwrite/destroy local files on the system via social engineering. E.G. attacker creates a form which tricks the user into clicking a button that overwrites some valuable files on the local drive. There is no scope change and exploiting this flaw does require user interaction. Affects versions of LibreOffice before 6.4.4, including those shipped with Red Hat Enterprise Linux 6, 7 and 8. However, Red Hat Enterprise Linux 6 is out of support scope and will not be patched for this flaw.
1. https://wiki.documentfoundation.org/images/1/15/0215WG3-UsingFormsInWriter.pdf pg 25
To mitigate this vulnerability, do not submit forms acquired from untrusted sources. Alternatively, use the LibreOffice XForms document editor to verify the location provided in the "action" field of the submission section before submitting the form.
Upstream patch: https://github.com/LibreOffice/core/commit/28520676c22be8308d303d503238af220d99c2bd
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2020:4628 https://access.redhat.com/errata/RHSA-2020:4628