• About Us /
• Security /
• Security Advisories /
• CVE-2024-12426

CVE-2024-12426

Title: CVE-2024-12426: URL fetching can be used to exfiltrate arbitrary INI file values and environment variables

Announced: Jan 7, 2025

Fixed in: LibreOffice 24.8.4

Description:

URLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links.

Prior to this fix, documents could include links that made use of an internal feature that expands environmental variables and INI file values in URLS. In the fixed version, the expansion feature is not available in document hosted urls.

Users are recommended to upgrade to 24.8.4 to avoid this issue.

Credit:

Thanks to Thomas Rinsma of Codean Labs for finding and reporting this issue.
Thanks to Caolán McNamara of Collabora Productivity for providing a fix.

References:

• CVE-2024-12426