CVE-2024-12426

Published Jan 7, 2025

Last updated 2 months ago

CVSS medium 6.7

Overview

Description
Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice. URLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links. This issue affects LibreOffice: from 24.8 before < 24.8.4.
Source
security@documentfoundation.org
NVD status
Received

Risk scores

CVSS 4.0

Type
Secondary
Base score
6.7
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
MEDIUM

Weaknesses

security@documentfoundation.org
CWE-200

Social media

Hype score
Not currently trending

  1. LibreOfficeの脆弱性を悪用するPoCが公開(CVE-2024-12425,CVE-2024-12426) https://t.co/ePCuryaTff #izumino_trend

    @sec_trend

    19 Feb 2025

    54 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🔒 Atenção, usuários do LibreOffice! Vulnerabilidades críticas permitem execução de código arbitrário e manipulação de arquivos sensíveis. CVE-2024-12425 e CVE-2024-12426 podem comprometer suas informações. Atualize agora para se proteger!

    @IncursioHack

    19 Feb 2025

    12 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. LibreOfficeの脆弱性を悪用するPoCが公開(CVE-2024-12425,CVE-2024-12426) #セキュリティ #セキュリティ対策Lab https://t.co/KDxItn0Rl4

    @securityLab_jp

    19 Feb 2025

    17 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨 Two critical vulnerabilities in LibreOffice (CVE-2024-12425 &amp; CVE-2024-12426) can be exploited via malicious documents, posing serious risks. Update to version 24.8.4 ASAP! 🔒 #LibreOffice #DataSecurity #USA link: https://t.co/FJwYyDokH8 https://t.co/zr7pEQP6xW

    @TweetThreatNews

    18 Feb 2025

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. #LibreOffice: patches two #vulnerabilities allowing arbitrary file writes &amp; remote data extraction from environment variables &amp; configuration files. CVE-2024-12425 &amp; CVE-2024-12426 require no user interaction beyond opening a malicious document: 👇 🔗 https://t.co/p

    @StringsVsAtoms

    18 Feb 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. #LibreOffice: patches two #vulnerabilities allowing arbitrary file writes &amp; remote data extraction from environment variables &amp; configuration files. CVE-2024-12425 &amp; CVE-2024-12426 require no user interaction beyond opening a malicious document: 👇 https://t.co/vGSKI

    @securestep9

    18 Feb 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. LibreOffice Vulnerabilities (CVE-2024-12425 &amp; CVE-2024-12426): PoCs Released https://t.co/ehgycwRHSu

    @Dinosn

    18 Feb 2025

    2787 Impressions

    14 Retweets

    34 Likes

    8 Bookmarks

    0 Replies

    0 Quotes

  8. #exploit 1. CVE-2024-12425, CVE-2024-12426: LibreOffice Path Traversal https://t.co/6gInUfeAFA 2. CVE-2024-36412: Using XSS filters against XSS filters - Unexpected SQLI/RCE https://t.co/xh9NiHmgqa 3. CVE-2024-42327: Zabbix Privilege Escalation -&gt; RCE https://t.co/jQT6L9XMLy

    @ksg93rd

    17 Feb 2025

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. LibreOffice CVE-2024-12425: Path traversal leading to arbitrary .ttf file write https://t.co/ndGQTtCZH4 CVE-2024-12426: URL fetching can be used to exfiltrate arbitrary INI file values and environment variables https://t.co/VjegSgQnIw

    @autumn_good_35

    9 Jan 2025

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. CVE-2024-12426 Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice. URLs could be con… https://t.co/aQ2Gemou3e

    @CVEnew

    7 Jan 2025

    359 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References