Cyber Resilience

CVE-2023-2255

Medium

Published: 25 May 2023

Published
25 May 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.4355 97.6th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2255 is a medium-severity an unspecified weakness vulnerability in Libreoffice Libreoffice. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is an improper access control flaw in the editor components of The Document Foundation LibreOffice. In affected versions, documents containing floating frames linked to external files would automatically load the contents of those frames without prompting the user for permission, unlike the handling of other linked content. This issue impacts LibreOffice 7.4 releases prior to 7.4.7 and 7.5 releases prior to 7.5.3.

An attacker can exploit the weakness by crafting a malicious document and distributing it to a target. When the recipient opens the file in an affected LibreOffice installation, external resources are fetched without user interaction or consent, resulting in limited integrity impact as reflected in the CVSS 5.3 score.

LibreOffice, Debian, and Gentoo advisories address the issue through updates that restore consistent prompting behavior for external frame content; users are advised to upgrade to the fixed releases.

EPSS for this CVE reached a peak of 0.5082 before receding to the current value of 0.4355.

EU & UK References

Vulnerability details

Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used "floating frames" linked…

more

to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

libreoffice
libreoffice
7.4.0 — 7.4.7 · 7.5.0 — 7.5.3
debian
debian linux
11.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References