First published: Tue Oct 11 2022(Updated: )
LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice links using that scheme could be constructed to call internal macros with arbitrary arguments. Which when clicked on, or activated by document events, could result in arbitrary script execution without warning. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.1; 7.3 versions prior to 7.3.6.
Credit: security@documentfoundation.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/libreoffice | <=1:6.1.5-3+deb10u7 | 1:6.1.5-3+deb10u10 1:7.0.4-4+deb11u7 4:7.4.7-1 4:7.5.6-1 4:7.5.8~rc1-1 |
The Document Foundation LibreOffice | >=7.3.0<7.3.6 | |
The Document Foundation LibreOffice | =7.4.0 | |
Debian | =11.0 | |
Fedoraproject Fedora | =35 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-3140 is a vulnerability in LibreOffice that allows for the construction of links using the 'vnd.libreoffice.command' scheme to call internal macros.
The vulnerability in LibreOffice's Office URI Schemes allows for browser integration with MS SharePoint server, but specifically enables the construction of malicious links to call internal macros.
Versions of LibreOffice from 7.3.0 to 7.3.6, as well as version 7.4.0, are affected by CVE-2022-3140.
An attacker can use the 'vnd.libreoffice.command' scheme to construct links that call internal macros, potentially executing arbitrary commands on a victim's system.
To mitigate the vulnerability, update your LibreOffice installation to a version that is not affected by CVE-2022-3140.