← Back to CVE List

CVE-2025-27791

Published: 2025-04-15T19:16Z
Last Modified: 2025-04-15T19:16Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
Collabora Online is a collaborative online office suite based on LibreOffice technology. In versions prior to 24.04.12.4, 23.05.19, and 22.05.25, there is a path traversal flaw in handling the CheckFileInfo BaseFileName field returned from WOPI servers. This allows for a file to be written anywhere the uid running Collabora Online can write, if such a response was supplied by a malicious WOPI server. By combining this flaw with a Time of Check, Time of Use DNS lookup issue with a WOPI server address under attacker control, it is possible to present such a response to be processed by a Collabora Online instance. This issue has been patched in versions 24.04.13.1, 23.05.19, and 22.05.25. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt