CVE-2023-2255

MEDIUM

LibreOffice 7.4.0-7.4.6 and 7.5.0-7.5.2 - Unauthenticated External Resource Loading via Floating Frame Links

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2023-2255. PoCs published by elweth-sec, G4sp4rCS, SaintMichae64.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-2255, which involves crafting a malicious ODT file to achieve remote code execution (RCE) by embedding a payload in the content.xml file. The exploit automates the process of injecting a command into the ODT file, which, when opened by a vulnerable system, executes the command to fetch and deploy a webshell.

Description

Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used "floating frames" linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3.

Exploits (3)

nomisec WORKING POC 63 stars
by elweth-sec · poc
https://github.com/elweth-sec/CVE-2023-2255

This repository contains a functional exploit for CVE-2023-2255, which involves crafting a malicious ODT file to achieve remote code execution (RCE) by embedding a payload in the content.xml file. The exploit automates the process of injecting a command into the ODT file, which, when opened by a vulnerable system, executes the command to fetch and deploy a webshell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Confluence Data Center and Server (versions affected by CVE-2023-2255)
No auth needed
Prerequisites: Access to a vulnerable Confluence instance · Ability to upload or deliver the malicious ODT file to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by G4sp4rCS · poc
https://github.com/G4sp4rCS/CVE-2023-2255

This repository contains a functional exploit for CVE-2023-2255, which creates a malicious ODT file embedding a Python payload. The payload executes arbitrary commands to add a user to the Administrators group, demonstrating RCE via script injection in OpenDocument files.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: OpenDocument Text (ODT) processors (e.g., LibreOffice, Apache OpenOffice)
No auth needed
Prerequisites: Victim must open the malicious ODT file · Target system must process embedded scripts in ODT files
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by SaintMichae64 · poc
https://github.com/SaintMichae64/CVE-2023-2255

The repository contains a Python script that embeds a payload into an ODT file as a macro, exploiting CVE-2023-2255. The exploit leverages macro execution in LibreOffice to achieve remote code execution (RCE).

Classification
Working Poc 80%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: LibreOffice (specific version not specified)
No auth needed
Prerequisites: Payload file (e.g., executable) · LibreOffice installation vulnerable to CVE-2023-2255
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 5.3
EPSS 0.0224
EPSS Percentile 80.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE
CWE-264
Status published
Products (2)
debian/debian_linux 11.0
libreoffice/libreoffice 7.4.0 - 7.4.7
Published May 25, 2023
Tracked Since Feb 18, 2026