Back

CVE-2024-45045

Aug. 29, 2024, 5:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Collabora Online (Android/iOS mobile variants)

Source

security-advisories@github.com

Tags

security-advisories@github.com
2024-08-29
CVE-2024-45045
CWE-84

CVE-2024-45045 details

Published : Aug. 29, 2024, 5:15 p.m.
Last Modified : Aug. 29, 2024, 5:15 p.m.

Description

Collabora Online is a collaborative online office suite based on LibreOffice technology. In the mobile (Android/iOS) device variants of Collabora Online it was possible to inject JavaScript via url encoded values in links contained in documents. Since the Android JavaScript interface allows access to internal functions, the likelihood that the app could be compromised via this vulnerability is considered high. Non-mobile variants are not affected. Mobile variants should update to the latest version provided by the platform appstore. There are no known workarounds for this vulnerability.

CVSS Score

1 2 3 4 5 6.3 7 8 9 10

Weakness

Weakness Name Description
CWE-84 Improper Neutralization of Encoded URI Schemes in a Web Page The web application improperly neutralizes user-controlled input for executable script disguised with URI encodings.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

Base Score

6.3

Exploitability Score

2.8

Impact Score

3.4

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

References

URL Source
https://github.com/CollaboraOnline/online/security/advisories/GHSA-78cg-rg4q-26qv security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.