In the recent issue of the Apache OpenOffice 4.1.15 office package without unnecessary publication (the information was disclosed after the release and initially the information about vulnerabilities was not mentioned in the list of changes), four vulnerabilities have been identified.
- Vulnerability CVE-2023-1183 allows arbitrary data to be written to a file in the system when opening specially executed OBD files (Office Binder Document) in OpenOffice Base. The attack is carried out by adding a script command to the document “Database/Script,” and the contents of this script are written to a new file.
- Vulnerability CVE-2012-5639 allows for the automatic loading and opening of internal or external resources without warning to the user. This vulnerability was initially identified in LibreOffice in 2012, but it was not addressed in OpenOffice until now.
- Vulnerability CVE-2022-43680 potentially enables code execution when opening specially executed documents in a memory-constrained situation. This vulnerability arises due to an error in the LibExpat library used to analyze data in XML format, which leads to an “Use after Free” issue.
- Vulnerability CVE-2023-47804 allows the document to contain a link that triggers the execution of a script without preliminary confirmation. This vulnerability introduces a new attack vector for the previously addressed issue CVE-2022-47502.
/Reports, release notes, official announcements.