CVE-2024-12425

LOW

LibreOffice 24.8.0.1-24.8.3 - Path Traversal and Arbitrary File Write via Embedded Font Files

Title source: llm

Description

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in The Document Foundation LibreOffice allows Absolute Path Traversal. An attacker can write to arbitrary locations, albeit suffixed with ".ttf", by supplying a file in a format that supports embedded font files. This issue affects LibreOffice: from 24.8 before < 24.8.4.

References (2)

Core 2

Core References

Vendor Advisory

https://www.libreoffice.org/about-us/security/advisories/cve-2024-12425

Mailing List, Third Party Advisory

https://lists.debian.org/debian-lts-announce/2025/01/msg00013.html

Scores

CVSS v3 3.3

EPSS 0.0037

EPSS Percentile 59.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (3)

debian/debian_linux 11.0

libreoffice/libreoffice 24.8.0.0 alpha1 (2 CPE variants)

libreoffice/libreoffice 24.8.0.1 - 24.8.4

Published Jan 07, 2025

Tracked Since Feb 18, 2026