CVE-2023-0950

HIGH

LibreOffice 7.4.0-7.4.5 and 7.5.0 - Remote Code Execution via Malformed Spreadsheet Formula

Title source: llm

Description

Improper Validation of Array Index vulnerability in the spreadsheet component of The Document Foundation LibreOffice allows an attacker to craft a spreadsheet document that will cause an array index underflow when loaded. In the affected versions of LibreOffice certain malformed spreadsheet formulas, such as AGGREGATE, could be created with less parameters passed to the formula interpreter than it expected, leading to an array index underflow, in which case there is a risk that arbitrary code could be executed. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.6; 7.5 versions prior to 7.5.1.

References (4)

Core 4

Core References

Vendor Advisory

https://www.libreoffice.org/about-us/security/advisories/CVE-2023-0950

Third Party Advisory vendor-advisory

https://www.debian.org/security/2023/dsa-5415

Mailing List mailing-list

https://lists.debian.org/debian-lts-announce/2023/08/msg00014.html

Third Party Advisory vendor-advisory

https://security.gentoo.org/glsa/202311-15

Scores

CVSS v3 7.8

EPSS 0.0006

EPSS Percentile 19.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-129

Status published

Products (2)

debian/debian_linux 10.0

libreoffice/libreoffice 7.4.0 - 7.4.6

Published May 25, 2023

Tracked Since Feb 18, 2026