CVE-2020-12803 : ODF documents can contain forms to be filled out by the user. Similar to HTML fo

ODF documents can contain forms to be filled out by the user. Similar to HTML forms, the contained form data can be submitted to a URI, for example, to an external web server. To create submittable forms, ODF implements the XForms W3C standard, which allows data to be submitted without the need for macros or other active scripting Prior to version 6.4.4 LibreOffice allowed forms to be submitted to any URI, including file: URIs, enabling form submissions to overwrite local files. User-interaction is required to submit the form, but to avoid the possibility of malicious documents engineered to maximize the possibility of inadvertent user submission this feature has now been limited to http[s] URIs, removing the possibility to overwrite local files. This issue affects: The Document Foundation LibreOffice versions prior to 6.4.4.

Published 2020-06-08 16:15:10

Updated 2023-12-31 14:15:42

Source Document Foundation, The

View at NVD, CVE.org

Vulnerability category: Input validation

Products affected by CVE-2020-12803

Fedoraproject » Fedora » Version: 31
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.1
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Matching versions
Libreoffice » Libreoffice
Versions before (<) 6.4.4
cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-12803

EPSS FAQ

0.46%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 61 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-12803

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2020-12803

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-12803

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00042.html

[security-announce] openSUSE-SU-2020:1222-1: moderate: Security update f
Broken Link

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2023/12/msg00026.html

[SECURITY] [DLA 3703-1] libreoffice security update

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00058.html

[security-announce] openSUSE-SU-2020:1261-1: moderate: Security update f
Broken Link

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PQIBAKXD7VO5IGBD7ZMH3GGBNR5R2IOA/

[SECURITY] Fedora 31 Update: libreoffice-6.3.6.2-4.fc31 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12803

CVE-2020-12803 | LibreOffice - Free Office Suite - Based on OpenOffice - Compatible with Microsoft
Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PQIBAKXD7VO5IGBD7ZMH3GGBNR5R2IOA/

[SECURITY] Fedora 31 Update: libreoffice-6.3.6.2-4.fc31 - package-announce - Fedora Mailing-Lists

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2020-12803

Products affected by CVE-2020-12803

Exploit prediction scoring system (EPSS) score for CVE-2020-12803

CVSS scores for CVE-2020-12803

CWE ids for CVE-2020-12803

References for CVE-2020-12803