CVE-2023-6185

Improper Input Validation vulnerability in GStreamer integration of The Document Foundation LibreOffice allows an attacker to execute arbitrary GStreamer plugins.

In affected versions the filename of the embedded video is not sufficiently escaped when passed to GStreamer enabling an attacker to run arbitrary gstreamer plugins depending on what plugins are installed on the target system.

Published: Dec 11, 2023
Updated: May 4, 2025
CVE: CVE-2023-6185
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
libreoffice / libreoffice	7.6.0	7.6.3
libreoffice / libreoffice	7.5.0	7.5.9
fedoraproject / fedora	38	38.x
debian / debian_linux	11.0	11.0.x
debian / debian_linux	12.0	12.0.x

https://lists.debian.org/debian-lts-announce/2023/12/msg00026.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/QB7UB6CTWQUDOE657OVVRSDYUY3IPBJG/
https://www.debian.org/security/2023/dsa-5574
https://www.libreoffice.org/about-us/security/advisories/cve-2023-6185

Vulnerability Database

289,689

CVE-2023-6185