CVE-2023-2255: 
NixOS vulnerability analysis and mitigation

CVE-2023-2255 is a security vulnerability discovered in LibreOffice's editor components, disclosed on May 24, 2023. The vulnerability affects The Document Foundation LibreOffice versions 7.4 prior to 7.4.7 and 7.5 prior to 7.5.3. The issue involves improper access control in the editor components that allowed attackers to craft documents containing floating frames that would load external links without user prompts (LibreOffice Advisory).

The vulnerability stems from LibreOffice's support for 'Floating Frames', a feature similar to HTML IFrames that displays linked documents within a floating frame inside the host document. In affected versions, these floating frames would automatically fetch and display linked documents without prompting the user for permission, which was inconsistent with LibreOffice's standard security behavior for other linked content such as OLE objects, Writer linked sections, or Calc WEBSERVICE formulas (LibreOffice Advisory, Security Online).

The vulnerability could allow an attacker to craft a document that would cause external links to be loaded without user consent, potentially leading to unauthorized access to external resources. This behavior bypassed LibreOffice's standard security measures for handling linked content (Debian Security).

The vulnerability was fixed in LibreOffice versions 7.4.7 and 7.5.3. The fix expanded the existing 'update link' manager to control the update of IFrame content, ensuring that IFrames will not automatically refresh their content unless the user explicitly agrees via prompts. Users are recommended to upgrade to these or later versions (LibreOffice Advisory, Debian LTS).