CVE-2022-3140: LibreOffice arbitrary script execution flaw

LibreOffice has released the latest version 7.3.6/7.4.1 of its open-source office software to address a new vulnerability that could allow attackers to execute arbitrary scripts.

LibreOffice is a free and powerful office suite and a successor to OpenOffice.org (commonly known as OpenOffice) and is available for Windows, Linux, and macOS systems. Its clean interface and feature-rich tools help you unleash your creativity and enhance your productivity.

The vulnerability, found by TheSecurityDev working with Trend Micro Zero Day Initiative and tracked as CVE-2022-3140, affects the Office URI Schemes in LibreOffice. The attacker needs to somehow trick the targeted individual into opening a malicious file in order to trigger the exploit.

“LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme ‘vnd.libreoffice.command’ specific to LibreOffice was added,” reads the security advisories.

“In the affected versions of LibreOffice links using that scheme could be constructed to call internal macros with arbitrary arguments. Which when clicked on, or activated by document events, could result in arbitrary script execution without warning,” continues the advisory.

The CVE-2022-3140 bug affects LibreOffice 7.4 versions prior to 7.4.1; 7.3 versions prior to 7.3.6.