CVE-2023-6185
HIGHLibreOffice 7.5.0-7.5.8 - GStreamer Plugin Execution via Embedded Video Filename
Title source: manualDescription
Improper Input Validation vulnerability in GStreamer integration of The Document Foundation LibreOffice allows an attacker to execute arbitrary GStreamer plugins. In affected versions the filename of the embedded video is not sufficiently escaped when passed to GStreamer enabling an attacker to run arbitrary gstreamer plugins depending on what plugins are installed on the target system.
References (4)
Core 4
Core References
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/QB7UB6CTWQUDOE657OVVRSDYUY3IPBJG/
Third Party Advisory
https://www.debian.org/security/2023/dsa-5574
Vendor Advisory vendor-advisory
https://www.libreoffice.org/about-us/security/advisories/cve-2023-6185
Scores
CVSS v3
8.3
EPSS
0.0144
EPSS Percentile
81.0%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
Status
published
Products (4)
debian/debian_linux
11.0
debian/debian_linux
12.0
fedoraproject/fedora
38
libreoffice/libreoffice
7.5.0 - 7.5.9
Published
Dec 11, 2023
Tracked Since
Feb 18, 2026