CVE-2023-2255


Remote documents loaded without prompt via IFrame

Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to craft a document that would cause external links to be loaded without prompt. In the affected versions of LibreOffice documents that used "floating frames" linked to external files, would load the contents of those frames without prompting the user for permission to do so. This was inconsistent with the treatment of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.7; 7.5 versions prior to 7.5.3.


We have discovered 149 live websites that are affected by CVE-2023-2255.

Contact us to get more info



Affected Software

Product  LibreOffice
Category Content Management System
Vulnerable Versions
  • from 7.4 before 7.4.7
  • from 7.5 before 7.5.3
Total Vulnerable Versions195
Vulnerable Domains149 live websites (4.42% of LibreOffice install base)


Common Weakness Enumeration


CWE-264 CWE-264 Permissions, Privileges, and Access Controls



Details

  • Published - May 25, 2023
  • Updated - Nov 26, 2023

Credits

  • Amel Bouziane-Leblond for discovering and reporting the issue





Countries

United States25 websites


Germany41 websites
Italy14 websites
France8 websites
GB8 websites
Russia8 websites
Netherlands5 websites
Canada4 websites
Belgium3 websites
Brazil3 websites

TLDs

.com33 websites
.de30 websites
.net11 websites
.fr8 websites
.it7 websites
.org7 websites
.ru6 websites
.co.uk4 websites
.nl4 websites
.com.br3 websites

Vulnerable Versions

Vulnerable versions are highlighted in red


References


Websites affected by CVE-2023-2255

Top websites that are affected by CVE-2023-2255. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
********.****.fr France*,***,***
*****************.*****.ru Russia*,***,***
************************.net Italy*,***,***
***.************************.net Italy*,***,***
*************.com Switzerland*,***,***
**************.de Germany*,***,***
**************.fr France*,***,***
*****************.com United States*,***,***
***********.de Germany*,***,***
*******.de Germany*,***,***
See full domain list