Bug 1848346 (CVE-2020-12803) - CVE-2020-12803 libreoffice: forms allowed to be submitted to any URI could result in local file overwrite
Summary: CVE-2020-12803 libreoffice: forms allowed to be submitted to any URI could re...
Alias: CVE-2020-12803
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1848347 1848669 1848670
Blocks: 1848348
TreeView+ depends on / blocked
Reported: 2020-06-18 08:11 UTC by Marian Rehak
Modified: 2021-02-16 19:51 UTC (History)
4 users (show)

Fixed In Version: libreoffice 6.4.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-11-04 02:26:05 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4628 0 None None None 2020-11-04 02:29:40 UTC

Description Marian Rehak 2020-06-18 08:11:36 UTC
Prior to version 6.4.4 LibreOffice allowed forms to be submitted to any URI, including file: URIs, enabling form submissions to overwrite local files.

Upstream Reference:


Comment 1 Marian Rehak 2020-06-18 08:12:03 UTC
Created libreoffice tracking bugs for this issue:

Affects: fedora-all [bug 1848347]

Comment 2 Todd Cullum 2020-06-18 17:10:24 UTC
Flaw Summary:
The Open Document Format (ODF) XForms support in LibreOffice allowed users to create W3C XForms[1] style forms and specify as the "form action," a local file with file:///filepathhere as a location to save form data. This allowed for specially crafted forms to be created which could overwrite/destroy local files on the system via social engineering. E.G. attacker creates a form which tricks the user into clicking a button that overwrites some valuable files on the local drive. There is no scope change and exploiting this flaw does require user interaction. Affects versions of LibreOffice before 6.4.4, including those shipped with Red Hat Enterprise Linux 6, 7 and 8. However, Red Hat Enterprise Linux 6 is out of support scope and will not be patched for this flaw.

1. https://wiki.documentfoundation.org/images/1/15/0215WG3-UsingFormsInWriter.pdf pg 25

Comment 4 Todd Cullum 2020-06-18 17:32:21 UTC

To mitigate this vulnerability, do not submit forms acquired from untrusted sources. Alternatively, use the LibreOffice XForms document editor to verify the location provided in the  "action" field of the submission section before submitting the form.

Comment 8 Product Security DevOps Team 2020-11-04 02:26:05 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 9 errata-xmlrpc 2020-11-04 02:29:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4628 https://access.redhat.com/errata/RHSA-2020:4628

Note You need to log in before you can comment on or make changes to this bug.