[German]The LibreOffice developers have released LibreOffice 24.8.5 to close a link vulnerability CVE-2025-0514. The vulnerability could allow links to be abused.
Advertising
The vulnerability CVE-2025-0514
The vulnerability CVE-2025-0514 is due to insufficient input validation in LibreOffice. This allows unconditional execution of Windows hyperlink executable targets upon activation. This issue affects LibreOffice: from 24.8 before < 24.8.5. The vulnerability has been assigned a CVSS 4.0 index of 7.2 (High).
Fix with LibreOffice 24.8.5
The LibreOffice developers have published a security advisory for CVE-2025-051 and write that LibreOffice allows, that hyperlinks in a document can be activated by CTRL+click.
On Windows, the link can be passed to the system's ShellExecute function for editing. LibreOffice uses a mechanism to block paths to executable targets for ShellExecute to prevent attempts to start executable files.
In LibreOffice versions < 24.8.5, this mechanism could be bypassed by using non-file URLs that could be interpreted by ShellExecute as Windows file paths. Attackers could therefore have executed arbitrary commands.
This bypass has been blocked in the corrected versions. All Windows users are recommended to update to LibreOffice >= 24.8.5.
Advertising
Advertising
