Collabora Online is a collaborative online office suite based on LibreOffice technology. In the mobile (Android/iOS) device variants of Collabora Online it was possible to inject JavaScript via url encoded values in links contained in documents. Since the Android JavaScript interface allows access to internal functions, the likelihood that the app could be compromised via this vulnerability is considered high. Non-mobile variants are not affected. Mobile variants should update to the latest version provided by the platform appstore. There are no known workarounds for this vulnerability.
History

Tue, 03 Sep 2024 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Collabora
Collabora online
Google
Google android
Weaknesses CWE-79
CPEs cpe:2.3:a:collabora:online:*:*:*:*:*:*:*:*
cpe:2.3:o:google:android:-:*:*:*:*:*:*:*
Vendors & Products Collabora
Collabora online
Google
Google android

Thu, 29 Aug 2024 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 29 Aug 2024 17:00:00 +0000

Type Values Removed Values Added
Description Collabora Online is a collaborative online office suite based on LibreOffice technology. In the mobile (Android/iOS) device variants of Collabora Online it was possible to inject JavaScript via url encoded values in links contained in documents. Since the Android JavaScript interface allows access to internal functions, the likelihood that the app could be compromised via this vulnerability is considered high. Non-mobile variants are not affected. Mobile variants should update to the latest version provided by the platform appstore. There are no known workarounds for this vulnerability.
Title JavaScript Injection via url encoded values in links in Collabora Office Android
Weaknesses CWE-84
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-08-29T16:49:12.270Z

Updated: 2024-08-29T17:07:43.388Z

Reserved: 2024-08-21T17:53:51.331Z

Link: CVE-2024-45045

cve-icon Vulnrichment

Updated: 2024-08-29T17:07:39.908Z

cve-icon NVD

Status : Analyzed

Published: 2024-08-29T17:15:08.977

Modified: 2024-09-03T15:13:16.580

Link: CVE-2024-45045

cve-icon Redhat

No data.