Summary: Cybersecurity researchers at Codean Labs have identified two significant vulnerabilities in LibreOffice—CVE-2024-12425 (Arbitrary File Write) and CVE-2024-12426 (Remote File Read)—that can be exploited by opening malicious documents. These vulnerabilities require no user interaction, making them particularly risky for both individual users and organizations that utilize LibreOffice. Administrators are advised to update their installations to version 24.8.4 or later to mitigate risks.
Affected: LibreOffice
Keypoints :
- CVEs allow arbitrary file writes and unauthorized data extraction from environment variables and configuration files.
- The first vulnerability exploits improper handling of embedded fonts in .fodt documents, enabling attackers to write files anywhere on the system.
- The second vulnerability enables the theft of sensitive information, including credentials, by leveraging LibreOffice’s weak INI parsing capabilities.