CVE-2023-2255

Publication date 25 May 2023

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

5.3 · Medium

Score breakdown

Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used "floating frames" linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3.

Status

Package Ubuntu Release Status
libreoffice 23.04 lunar
Fixed 4:7.5.3-0ubuntu0.23.04.1
22.10 kinetic
Fixed 1:7.4.7-0ubuntu0.22.10.1
22.04 LTS jammy
Fixed 1:7.3.7-0ubuntu0.22.04.3
20.04 LTS focal
Fixed 1:6.4.7-0ubuntu0.20.04.8
18.04 LTS bionic Ignored end of standard support, was needed
16.04 LTS xenial Ignored end of standard support
14.04 LTS trusty Ignored end of standard support

Severity score breakdown

Parameter Value
Base score 5.3 · Medium
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

Related Ubuntu Security Notices (USN)

    • USN-6144-1
    • LibreOffice vulnerabilities
    • 7 June 2023

Other references