Author: marcus
Date: Tue Nov 10 23:11:16 2020
New Revision: 1883279
URL: http://svn.apache.org/viewvc?rev=1883279&view=rev
Log:
Added bulletin for CVE-2020-13958
Added:
openoffice/ooo-site/trunk/content/security/cves/CVE-2020-13958.html
Added: openoffice/ooo-site/trunk/content/security/cves/CVE-2020-13958.html
URL:
http://svn.apache.org/viewvc/openoffice/ooo-site/trunk/content/security/cves/CVE-2020-13958.html?rev=1883279&view=auto
==============================================================================
--- openoffice/ooo-site/trunk/content/security/cves/CVE-2020-13958.html (added)
+++ openoffice/ooo-site/trunk/content/security/cves/CVE-2020-13958.html Tue Nov
10 23:11:16 2020
@@ -0,0 +1,125 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <title>CVE-2020-13958</title>
+ <style type="text/css"></style>
+ </head>
+
+ <body>
+ <p>
+ <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-13958";>
+ CVE-2020-13958
+ </a>
+ </p>
+ <p>
+ <a href="https://www.openoffice.org/security/cves/CVE-2020-13958.html";>
+ Apache OpenOffice Advisory
+ </a>
+ </p>
+ <p style="text-align:center; font-size:largest">
+ <strong>
+ CVE-2020-13958 Unrestricted actions leads to arbitrary code execution
in crafted documents
+ </strong>
+ </p>
+ <p style="text-align:center; font-size:larger">
+ <strong>
+ Fixed in Apache OpenOffice 4.1.8
+ </strong>
+ </p>
+ <p>
+ <strong>
+ Description
+ </strong>
+ </p>
+ <p>
+ A vulnerability in Apache OpenOffice scripting events allows an attacker
to construct documents containing
+ hyperlinks pointing to an executable on the target users file system.
These hyperlinks can be triggered
+ unconditionally. In fixed versions no internal protocol may be called
from the document event handler and other
+ hyperlinks require a control-click.
+ </p>
+ <p>
+ <strong>
+ Severity: Low
+ </strong>
+ </p>
+ <p>
+ There are no known exploits of this vulnerability.
+ <br />
+ A proof-of-concept demonstration exists.
+ </p>
+ <p>
+ Thanks to the reporter for discovering this issue.
+ </p>
+ <p>
+ <strong>
+ Vendor: The Apache Software Foundation
+ </strong>
+ </p>
+ <p>
+ <strong>
+ Versions Affected
+ </strong>
+ </p>
+ <p>
+ All Apache OpenOffice versions 4.1.7 and older are affected.
+ <br />
+ OpenOffice.org versions may also be affected.
+ </p>
+ <p>
+ <strong>
+ Mitigation
+ </strong>
+ </p>
+ <p>
+ Install Apache OpenOffice 4.1.8 for the latest maintenance and
cumulative security fixes. Use the Apache OpenOffice
+ <a href="https://www.openoffice.org/download/";>
+ download page
+ </a>.
+ </p>
+
+ <p>
+ <strong>
+ Acknowledgments
+ </strong>
+ </p>
+ <p>
+ The Apache OpenOffice Security Team would like to thank Imre Rad for
discovering and reporting this attack vector.
+ </p>
+ <p>
+ <strong>
+ Further Information
+ </strong>
+ </p>
+ <p>
+ For additional information and assistance, consult the
+ <a href="https://forum.openoffice.org/";>
+ Apache OpenOffice Community Forums
+ </a>
+ or make requests to the
+ <a href="mailto:[email protected]";>
+ [email protected]
+ </a>
+ public mailing list.
+ </p>
+ <p>
+ The latest information on Apache OpenOffice security bulletins can be
found at the
+ <a href="https://www.openoffice.org/security/bulletin.html";>
+ Bulletin Archive page
+ </a>.
+ </p>
+ <hr />
+ <p>
+ <a href="https://security.openoffice.org";>
+ Security Home
+ </a>
+ ->
+ <a href="https://www.openoffice.org/security/bulletin.html";>
+ Bulletin
+ </a>
+ ->
+ <a href="https://www.openoffice.org/security/cves/CVE-2020-13958.html";>
+ CVE-2020-13958
+ </a>
+ </p>
+ </body>
+</html>
