CVE-2022-3140

MEDIUM

LibreOffice <7.4.1 and <7.3.6 - Macro Execution via Office URI Scheme

Title source: manual

Description

LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice links using that scheme could be constructed to call internal macros with arbitrary arguments. Which when clicked on, or activated by document events, could result in arbitrary script execution without warning. This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.1; 7.3 versions prior to 7.3.6.

References (5)

Core 5

Core References

Third Party Advisory vendor-advisory

https://www.debian.org/security/2022/dsa-5252

Mailing List, Third Party Advisory vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TORANVTIWWBH3DNJR4UZATAG67KZOH32/

Third Party Advisory vendor-advisory

https://security.gentoo.org/glsa/202212-04

Mailing List mailing-list

https://lists.debian.org/debian-lts-announce/2023/03/msg00022.html

Vendor Advisory

https://www.libreoffice.org/about-us/security/advisories/CVE-2022-3140

Scores

CVSS v3 6.3

EPSS 0.0435

EPSS Percentile 89.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Details

CWE

CWE-88 CWE-20

Status published

Products (4)

debian/debian_linux 11.0

fedoraproject/fedora 35

libreoffice/libreoffice 7.4.0

libreoffice/libreoffice 7.3.0 - 7.3.6

Published Oct 11, 2022

Tracked Since Feb 18, 2026