Primary

Context

LibreOffice Environmental Variable and INI File Value Exfiltration Vulnerability

Vulnerability

Patched

A vulnerability in LibreOffice prior to 24.8.4 allows for the exfiltration of potentially sensitive information by expanding environmental variables and INI file values in URLs. When a document containing such links is opened, the information could be sent to a remote server. This issue arises from the application's handling of URLs, which could be crafted to exploit the variable expansion feature.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information, such as environmental variables and INI file values, which could be exfiltrated to a remote server.

Remediation

Users are advised to upgrade to LibreOffice 24.8.4 to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.4

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

LibreOffice Environmental Variable and INI File Value Exfiltration Vulnerability

Vulnerability

Impact

Remediation

Affected Products

The Document Foundation LibreOffice

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating