Apache OpenOffice: Macro URL arbitrary script execution
CVE-2023-47804

8.8HIGH

Key Information:

Vendor
Apache
Status
Apache OpenOffice
Vendor
CVE Published:
29 December 2023

Summary

A security issue in Apache OpenOffice allows documents to contain links that execute internal macros with arbitrary parameters, bypassing user approval for specific URI schemes. When activated, these links can lead to unintended script execution, raising significant security concerns for users. This issue arises from the inadequate handling of user consent during document interactions, particularly affecting specific versions of OpenOffice, as cited in related security discussions and advisories.

Affected Version(s)

Apache OpenOffice 0 <= 4.1.14

References

https://lists.apache.org/thread/ygp59swfcy6g46jf8v9s6qpwm...
vendor-advisory
https://www.openoffice.org/security/cves/CVE-2023-47804.html
http://www.openwall.com/lists/oss-security/2024/01/03/3

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Amel BOUZIANE-LEBLOND aka Icare Bug Bounty Hunter
.