CVE-2025-64407
BaseFortify
Publication date: 2025-11-12
Last updated on: 2025-11-13
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | openoffice | to 4.1.16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Apache OpenOffice allows an attacker to create a document with external links that load without user permission. Specifically, documents using a certain URI scheme can load external files automatically, potentially transmitting system information like environment variables or configuration settings without prompting the user.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive system information by automatically loading external links embedded in documents. This could expose environment variables or configuration data to attackers without user consent, potentially compromising system security and privacy.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Apache OpenOffice to version 4.1.16 or later, as this version fixes the missing Authorization vulnerability that allows external links to be loaded without user prompt.