Exposure of Environmental Variables in LibreOffice by The Document Foundation
CVE-2024-12426

6.7MEDIUM

Key Information:

Vendor: The Document Foundation
Status: Libreoffice
Vendor: CVE Published:; 7 January 2025

Summary

The vulnerability presents a significant risk within LibreOffice, allowing unauthorized actors to expose environmental variables and arbitrary INI file values. By exploiting this flaw, an attacker could potentially exfiltrate sensitive information to a remote server upon the opening of specially crafted documents containing URLs. This vulnerability affects versions of LibreOffice prior to 24.8.4, highlighting the importance of keeping software updated and exercising caution with document sources.

Affected Version(s)

LibreOffice 24.8

References

https://www.libreoffice.org/about-us/security/advisories/...

CVSS V4

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Jan 7, 2025
Vulnerability Reserved
Dec 10, 2024

Credit

Thomas Rinsma of Codean Labs