CVE-2025-1080

Publication date 4 March 2025

Last updated 11 March 2025

Ubuntu priority

LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice a link in a browser using that scheme could be constructed with an embedded inner URL that when passed to LibreOffice could call internal macros with arbitrary arguments. This issue affects LibreOffice: from 24.8 before < 24.8.5, from 25.2 before < 25.2.1.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libreoffice	24.10 oracular	Fixed 4:24.8.5-0ubuntu0.24.10.2
	24.04 LTS noble	Fixed 4:24.2.7-0ubuntu0.24.04.3
	22.04 LTS jammy	Fixed 1:7.3.7-0ubuntu0.22.04.9
	20.04 LTS focal	Fixed 1:6.4.7-0ubuntu0.20.04.14

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-7337-1
LibreOffice vulnerability
10 March 2025

Other references

https://www.cve.org/CVERecord?id=CVE-2025-1080
https://www.libreoffice.org/about-us/security/advisories/cve-2025-1080
https://gerrit.libreoffice.org/c/core/+/181016