CVE-2021-25631 — Vulnetix

CVE-2021-25631 PUBLISHED CVSS 8.800000190734863 HIGH

In the LibreOffice 7-1 series in versions prior to 7.1.2, and in the 7-0 series in versions prior to 7.0.5, the denylist can be circumvented by manipulating the link so it doesn't match the denylist but results in ShellExecute attempting to launch an executable type.

EPSS 1.32% · 80.2th percentile

Risk Scores

CVSS v3.1

8.800000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score

1.32%

80.2th percentile

Affected Products

Vendor	Product	Versions
The Document Foundation	LibreOffice	7.1, 7.0
libreoffice	libreoffice	7.1.0, 7.0.0

Timeline

May 3, 2021 CVE Published
May 4, 2021 EPSS Score
Jul 7, 2021 EPSS Score
Nov 8, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Jan 9, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Apr 1, 2022 EPSS Score
May 13, 2022 EPSS Score
Jul 15, 2022 EPSS Score
Sep 15, 2022 EPSS Score
Jan 17, 2023 EPSS Score

References

https://positive.security/blog/url-open-rce#open-libreoffice url
https://www.libreoffice.org/about-us/security/advisories/cve-2021-25631/ url
https://nvd.nist.gov/vuln/detail/CVE-2021-25631 advisory
https://www.libreoffice.org/about-us/security/advisories/cve-2021-25631 url

Open in Interactive Console →