Prior to version 6.4.4 LibreOffice allowed forms to be submitted to any URI, including file: URIs, enabling form submissions to overwrite local files. Upstream Reference: https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12803
Created libreoffice tracking bugs for this issue: Affects: fedora-all [bug 1848347]
Flaw Summary: The Open Document Format (ODF) XForms support in LibreOffice allowed users to create W3C XForms[1] style forms and specify as the "form action," a local file with file:///filepathhere as a location to save form data. This allowed for specially crafted forms to be created which could overwrite/destroy local files on the system via social engineering. E.G. attacker creates a form which tricks the user into clicking a button that overwrites some valuable files on the local drive. There is no scope change and exploiting this flaw does require user interaction. Affects versions of LibreOffice before 6.4.4, including those shipped with Red Hat Enterprise Linux 6, 7 and 8. However, Red Hat Enterprise Linux 6 is out of support scope and will not be patched for this flaw. 1. https://wiki.documentfoundation.org/images/1/15/0215WG3-UsingFormsInWriter.pdf pg 25
Mitigation: To mitigate this vulnerability, do not submit forms acquired from untrusted sources. Alternatively, use the LibreOffice XForms document editor to verify the location provided in the "action" field of the submission section before submitting the form.
Upstream patch: https://github.com/LibreOffice/core/commit/28520676c22be8308d303d503238af220d99c2bd
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-12803
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4628 https://access.redhat.com/errata/RHSA-2020:4628