CVE-2024-12426

MEDIUM EPSS 40.7%

Published Jan 7, 20251y ago · Modified Jun 17, 20261w ago

6.7 CVSS 4.0

Medium

Published Jan 7, 2025 1y ago

Last Modified Jun 17, 2026 1w ago

Description

Exposure of Environmental Variables and arbitrary INI file values to an Unauthorized Actor vulnerability in The Document Foundation LibreOffice. URLs could be constructed which expanded environmental variables or INI file values, so potentially sensitive information could be exfiltrated to a remote server on opening a document containing such links. This issue affects LibreOffice: from 24.8 before < 24.8.4.

CVSS Details

Base Score

6.7

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Local

Attack Complexity Low

Privileges Required Low

User Interaction P

Scope X

Threat Intelligence

EPSS Exploit Probability

40.7% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure

Affected Products 4

Vendor	Product	Version	Range
libreoffice	libreoffice	*	≥24.8.0.1 – <24.8.4
libreoffice	libreoffice	24.8.0.0	any
libreoffice	libreoffice	24.8.0.0	any
debian	debian_linux	11.0	any

References 2

lists.debian.org https://lists.debian.org/debian-lts-announce/2025/01/msg00013.html

Mailing ListThird Party Advisory
libreoffice.org https://www.libreoffice.org/about-us/security/advisories/cve-2024-12426

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.