CVE-2022-3140

CVE-2022-3140: Macro URL arbitrary script execution

Vendor The Document Foundation
Product LibreOffice
Weakness CWE-20 · Input validation
Published October 11, 2022
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice links using that scheme could be constructed to call internal macros with arbitrary arguments. Which when clicked on, or activated by document events, could result in arbitrary script execution without warning. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.1; 7.3 versions prior to 7.3.6.

Key dates

02Disclosure timeline

October 11, 2022 CVE published
August 3, 2024 Record updated