CVE-2024-12426

MEDIUM

LibreOffice 24.8.0.1-24.8.3 - Exposure of Sensitive Information via URL Environmental Variable Expansion

Title source: llm

Description

Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice. URLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links. This issue affects LibreOffice: from 24.8 before < 24.8.4.

References (2)

Core 2

Core References

Vendor Advisory

https://www.libreoffice.org/about-us/security/advisories/cve-2024-12426

Mailing List, Third Party Advisory

https://lists.debian.org/debian-lts-announce/2025/01/msg00013.html

Scores

CVSS v3 6.5

EPSS 0.0047

EPSS Percentile 65.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (3)

debian/debian_linux 11.0

libreoffice/libreoffice 24.8.0.0 alpha1 (2 CPE variants)

libreoffice/libreoffice 24.8.0.1 - 24.8.4

Published Jan 07, 2025

Tracked Since Feb 18, 2026