Improper Verification of Cryptographic Signature vulnerability in LibreOffice allows PDF Signature Spoofing by Improper Validation. In the affected versions of LibreOffice a flaw in the verification code for adbe.pkcs7.sha1 signatures could cause invalid signatures to be accepted as valid This issue affects LibreOffice: from 24.8 before < 24.8.6, from 25.2 before < 25.2.2.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Improper Verification of Cryptographic Signature vulnerability in LibreOffice allows PDF Signature     Spoofing by Improper Validation. In the affected versions of LibreOffice a flaw in the verification code     for adbe.pkcs7.sha1 signatures could cause invalid signatures to be accepted as valid This issue affects     LibreOffice: from 24.8 before < 24.8.6, from 25.2 before < 25.2.2. (CVE-2025-2866)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4205 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-4205-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                       Daniel Leidert     June 01, 2025                                 https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : libreoffice     Version        : 1:7.0.4-4+deb11u13     CVE ID         : CVE-2025-1080 CVE-2025-2866

    Multiple vulnerabilities were discovered in Libreoffice, an office     productivity software suite.

    CVE-2025-1080

       LibreOffice supports Office URI Schemes to enable browser        integration of LibreOffice with MS SharePoint server. An additional        scheme 'vnd.libreoffice.command' specific to LibreOffice was added.
       In the affected versions of LibreOffice a link in a browser using        that scheme could be constructed with an embedded inner URL that        when passed to LibreOffice could call internal macros with arbitrary        arguments.

    CVE-2025-2866

       LibreOffice allows PDF Signature Spoofing by Improper Validation. In        the affected versions of LibreOffice a flaw in the verification code        for adbe.pkcs7.sha1 signatures could cause invalid signatures to be        accepted as valid

    For Debian 11 bullseye, these problems have been fixed in version     1:7.0.4-4+deb11u13.

    We recommend that you upgrade your libreoffice packages.

    For the detailed security status of libreoffice please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/libreoffice

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: This is a digitally signed message part

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 host has packages installed that are affected by a vulnerability as referenced in the USN-7504-1 advisory.

    Juraj arinay discovered that LibreOffice incorrectly handled verifying PDF signatures. A remote attacker     could possibly use this issue to generate PDF files that appear to have a valid signature.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of LibreOffice installed on the remote host is prior to 24.8.6 or 25.2.2. It is, therefore, affected by a PDF signature spoofing vulnerability:

  - Improper Verification of Cryptographic Signature vulnerability in LibreOffice allows PDF Signature Spoofing by     Improper Validation. In the affected versions of LibreOffice a flaw in the verification code for adbe.pkcs7.sha1     signatures could cause invalid signatures to be accepted as valid This issue affects LibreOffice: from 24.8 before     < 24.8.6, from 25.2 before < 25.2.2.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 12 host has packages installed that are affected by a vulnerability as referenced in the dsa-5908 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5908-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     April 28, 2025                        https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : libreoffice     CVE ID         : CVE-2025-2866

    Juray Sarinay discovered that PDF documents signed with the     adbe.pkcs7.sha1 standard were incompletely validated by LibreOffice,     which could cause invalid signatures to be accepted as legitimate.

    For the stable distribution (bookworm), this problem has been fixed in     version 4:7.4.7-1+deb12u8.

    We recommend that you upgrade your libreoffice packages.

    For the detailed security status of libreoffice please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/libreoffice

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
260214	Linux Distros Unpatched Vulnerability : CVE-2025-2866	Nessus	Misc.	low
237631	Debian dla-4205 : fonts-opensymbol - security update	Nessus	Debian Local Security Checks	high
235613	Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 : LibreOffice vulnerability (USN-7504-1)	Nessus	Ubuntu Local Security Checks	low
235031	LibreOffice 24.8.x < 24.8.6 / 25.2.x < 25.2.2 (CVE-2025-2866)	Nessus	Misc.	medium
234915	Debian dsa-5908 : fonts-opensymbol - security update	Nessus	Debian Local Security Checks	low

Detections

Analytics

CVE-2025-2866

low

Tenable Plugins

low

high

low

medium

low