ALT-PU-2024-14937-2 — LibreOffice-still

BDU:2024-04136

HIGH8.8

Уязвимость пакета офисных программ LibreOffice, связанная с возможностью внедрения кода или данных, позволяющая нарушителю выполнить произвольный код

Published: 2024-05-28Modified: 2026-01-20

CVSS 3.xHIGH 8.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2024-3044

BDU:2024-04913

CRITICAL9.8

Уязвимость компонента LibreOfficeKit пакета офисных программ LibreOffice, позволяющая уязвимости может позволить нарушителю выполнить произвольный код

Published: 2024-07-01Modified: 2026-01-20

CVSS 3.xCRITICAL 9.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2024-5261

BDU:2024-06443

HIGH7.8

Уязвимость пользовательского интерфейса проверки сертификата пакета офисных программ LibreOffice, позволяющая нарушителю выполнить произвольный код

Published: 2024-08-26Modified: 2026-01-20

CVSS 3.xHIGH 7.8

CVSS:3.x/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 2.0HIGH 7.2

CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2024-6472

BDU:2024-07260

HIGH7.8

Уязвимость пакета офисных программ LibreOffice, связанная с некорректной проверкой криптографической подписи, позволяющая нарушителю создать специально сформированный документ, который после восстановления сообщал о действительном статусе электронной подписи

Published: 2024-09-19Modified: 2025-09-05

CVSS 3.xHIGH 7.8

CVSS:3.x/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 2.0HIGH 7.2

CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2024-7788

CVE-2024-3044

MEDIUM6.5

Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt will execute scripts built-into LibreOffice on clicking a graphic. Such scripts were previously deemed trusted but are now deemed untrusted.

Published: 2024-05-14Modified: 2025-12-10

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References

CVE-2024-5261

CRITICAL10.0

Improper Certificate Validation vulnerability in LibreOffice "LibreOfficeKit" mode disables TLS certification verification LibreOfficeKit can be used for accessing LibreOffice functionality through C/C++. Typically this is used by third party components to reuse LibreOffice as a library to convert, view or otherwise interact with documents. LibreOffice internally makes use of "curl" to fetch remote resources such as images hosted on webservers. In affected versions of LibreOffice, when used in LibreOfficeKit mode only, then curl's TLS certification verification was disabled (CURLOPT_SSL_VERIFYPEER of false) In the fixed versions curl operates in LibreOfficeKit mode the same as in standard mode with CURLOPT_SSL_VERIFYPEER of true. This issue affects LibreOffice before version 24.2.4.

Published: 2024-06-25Modified: 2025-12-23

CVSS 3.xCRITICAL 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0CRITICAL 10.0

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References

CVE-2024-6472

HIGH7.8

Certificate Validation user interface in LibreOffice allows potential vulnerability. Signed macros are scripts that have been digitally signed by the developer using a cryptographic signature. When a document with a signed macro is opened a warning is displayed by LibreOffice before the macro is executed. Previously if verification failed the user could fail to understand the failure and choose to enable the macros anyway. This issue affects LibreOffice: from 24.2 before 24.2.5.

Published: 2024-08-05Modified: 2025-12-10

CVSS 3.xHIGH 7.8

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

https://www.libreoffice.org/about-us/security/advisories/CVE-2024-6472

CVE-2024-7788

HIGH7.8

Improper Digital Signature Invalidation vulnerability in Zip Repair Mode of The Document Foundation LibreOffice allows Signature forgery vulnerability in LibreOfficeThis issue affects LibreOffice: from 24.2 before < 24.2.5.

Published: 2024-09-17Modified: 2024-11-21

CVSS 3.xHIGH 7.8

CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Package update LibreOffice-still in branch p10

Closed issues (8)

Уязвимость пакета офисных программ LibreOffice, связанная с возможностью внедрения кода или данных, позволяющая нарушителю выполнить произвольный код

Уязвимость компонента LibreOfficeKit пакета офисных программ LibreOffice, позволяющая уязвимости может позволить нарушителю выполнить произвольный код

Уязвимость пользовательского интерфейса проверки сертификата пакета офисных программ LibreOffice, позволяющая нарушителю выполнить произвольный код

Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt will execute scripts built-into LibreOffice on clicking a graphic. Such scripts were previously deemed trusted but are now deemed untrusted.

Improper Digital Signature Invalidation vulnerability in Zip Repair Mode of The Document Foundation LibreOffice allows Signature forgery vulnerability in LibreOfficeThis issue affects LibreOffice: from 24.2 before < 24.2.5.