{"id":"CVE-2018-10120","details":"The SwCTBWrapper::Read function in sw/source/filter/ww8/ww8toolbar.cxx in LibreOffice before 5.4.6.1 and 6.x before 6.0.2.1 does not validate a customizations index, which allows remote attackers to cause a denial of service (heap-based buffer overflow with write access) or possibly have unspecified other impact via a crafted document that contains a certain Microsoft Word record.","modified":"2026-05-18T05:51:23.638658428Z","published":"2018-04-16T09:58:10.557Z","related":["SUSE-SU-2018:1296-1","openSUSE-SU-2024:10983-1"],"database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*"],"source":"CPE_FIELD","vendor_product":"canonical:ubuntu_linux","extracted_events":[{"last_affected":"14.04"},{"last_affected":"16.04"}]},{"cpes":["cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"debian:debian_linux","extracted_events":[{"last_affected":"7.0"},{"last_affected":"8.0"},{"last_affected":"9.0"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"redhat:enterprise_linux_desktop","extracted_events":[{"last_affected":"7.0"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"redhat:enterprise_linux_server","extracted_events":[{"last_affected":"7.0"}]},{"cpes":["cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*"],"source":"CPE_FIELD","vendor_product":"redhat:enterprise_linux_workstation","extracted_events":[{"last_affected":"7.0"}]}]},"references":[{"type":"WEB","url":"https://gerrit.libreoffice.org/gitweb?p=core.git%3Ba=commit%3Bh=017fcc2fcd00af17a97bd5463d89662404f57667"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3054"},{"type":"ADVISORY","url":"https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6173"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/04/msg00021.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3883-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4178"},{"type":"ADVISORY","url":"https://www.libreoffice.org/about-us/security/advisories/cve-2018-10120/"},{"type":"FIX","url":"https://gerrit.libreoffice.org/#/c/49486/"},{"type":"FIX","url":"https://gerrit.libreoffice.org/#/c/49499/"},{"type":"FIX","url":"https://gerrit.libreoffice.org/#/c/49500/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libreoffice/core","events":[{"introduced":"0"},{"fixed":"7d6c666f03cf1f0a0c2c51a17c0f67a8d5a8012b"},{"fixed":"f7f06a8f319e4b62f9bc5095aa112a65d2f3ac89"}],"database_specific":{"cpe":"cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"5.4.6.1"},{"introduced":"6.0.0"},{"fixed":"6.0.2.1"}]}}],"versions":["libreoffice-6-0-branch-point","gpg4libre-review-5.4.99","libreoffice-5-4-branch-point","libreoffice-5-3-branch-point","libreoffice-5-2-branch-point","libreoffice-5-1-branch-point","libreoffice-5-0-branch-point","libreoffice-4-4-branch-point","libreoffice-4-3-branch-point","sdremote-2.0.0","libreoffice-4-2-branch-point","libreoffice-4-2-milestone-1","libreoffice-4-1-branch-point","libreoffice-4-0-branch-point","libreoffice-3-6-branch-point","libreoffice-3.5.0.0","libreoffice-3-5-branch-point","windows_build_successful_2011_11_08","MELD_LIBREOFFICE_REPOS"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2018-10120.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}