NVD Vulnerability Detail

CVE-2020-12803

Summary	ODF documents can contain forms to be filled out by the user. Similar to HTML forms, the contained form data can be submitted to a URI, for example, to an external web server. To create submittable forms, ODF implements the XForms W3C standard, which allows data to be submitted without the need for macros or other active scripting Prior to version 6.4.4 LibreOffice allowed forms to be submitted to any URI, including file: URIs, enabling form submissions to overwrite local files. User-interaction is required to submit the form, but to avoid the possibility of malicious documents engineered to maximize the possibility of inadvertent user submission this feature has now been limited to http[s] URIs, removing the possibility to overwrite local files. This issue affects: The Document Foundation LibreOffice versions prior to 6.4.4.
Publication Date	June 9, 2020, 1:15 a.m.
Registration Date	Jan. 26, 2021, 11:51 a.m.
Last Update	Nov. 21, 2024, 2 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:libreoffice:libreoffice::::::::					6.4.4

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:opensuse:leap:15.1:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:31:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00042.html	Broken Link
2	http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00058.html	Broken Link
3	https://lists.debian.org/debian-lts-announce/2023/12/msg00026.html
4	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PQIBAKXD7VO5IGBD7ZMH3GGBNR5R2IOA/
5	https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12803	Vendor Advisory
6	http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00042.html	Broken Link
7	https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12803	Vendor Advisory
8	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PQIBAKXD7VO5IGBD7ZMH3GGBNR5R2IOA/
9	https://lists.debian.org/debian-lts-announce/2023/12/msg00026.html
10	http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00058.html	Broken Link

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html

JVN Vulnerability Information

LibreOffice における入力確認に関する脆弱性

Title	LibreOffice における入力確認に関する脆弱性
Summary	LibreOffice には、入力確認に関する脆弱性が存在します。
Possible impacts	情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	June 9, 2020, midnight
Registration Date	July 9, 2020, 11:03 a.m.
Last Update	July 9, 2020, 11:03 a.m.

Affected System

The Document Foundation

LibreOffice 6.4.4 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-12803	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12803
LibreOffice
2	CVE-2020-12803	https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12803
National Vulnerability Database (NVD)
3	CVE-2020-12803	https://nvd.nist.gov/vuln/detail/CVE-2020-12803

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

Change Log

No	Changed Details	Date of change
1	[2020年07月09日] 掲載	July 9, 2020, 11:03 a.m.