www.libreoffice.org Open in urlscan Pro
2a00:1828:a012:168::1  Public Scan

URL: https://www.libreoffice.org/about-us/security/advisories/cve-2022-3140/
Submission: On October 13 via api from IN — Scanned from DE

Form analysis 1 forms found in the DOM

GET /home/SearchForm

<form id="SearchForm_SearchForm" class="navbar-form pull-right" action="/home/SearchForm" method="get" enctype="application/x-www-form-urlencoded">
  <!-- <fieldset> -->
  <!-- <div id="Search" class="field text nolabel"> -->
  <!-- <div class="middleColumn"> -->
  <input type="text" placeholder="Search" name="Search" value="" id="SearchForm_SearchForm_Search">
  <!-- </div> -->
  <!-- </div> -->
  <input type="submit" name="action_results" value="Go" class="action btn" id="SearchForm_SearchForm_action_results">
  <!-- </fieldset> -->
</form>

Text Content

English | 中文 (简体) | Deutsch | Español | Français | Italiano | More...

 * Discover
   * What is LibreOffice?
   * LibreOffice Technology
   * New Features
   * Writer – word processor
   * Calc – spreadsheet
   * Impress – presentations
   * Draw – diagrams
   * Base – database
   * Math – formula editor
   * Charts
   * What is OpenDocument?
   * LibreOffice vs OpenOffice
   * Templates & Extensions
   * Who uses LibreOffice?
   * Screenshots
 * Download
   * Download LibreOffice
   * Business users: click here
   * LibreOffice for Android and iOS
   * App Stores and Chromebooks
   * Release Notes
   * Development versions
   * Portable versions
   * LibreOffice as Flatpak
   * LibreOffice as Snap
   * LibreOffice as AppImage
   * LibreOffice Impress Remote
   * LibreOffice Online
 * Get Help
   * Feedback
   * Community Assistance
   * Documentation
   * Installation Instructions
   * Professional Support
   * System Requirements
   * Accessibility
   * Mailing Lists
   * Frequently Asked Questions
 * Improve it
   * Join us – start here!
   * What can you do for LibreOffice?
   * Design
   * Developers
   * Docs Team
   * Infrastructure
   * Localization
   * Marketing
   * Native-Lang Projects
   * Testing - QA
   * Wiki
   * Community map
   * Grant Request
 * Events
 * About Us
   * Who are we?
   * Governance
   * Advisory Board Members
   * LibreOffice Certification
   * Licenses
   * Source Code
   * Security
   * Imprint
   * Credits
   * LibreOffice Timeline
   * Privacy Policy
   * Foundation's Reports
   * Merchandise
   * Read our blog
 * Donate
 * 

 * About Us /
 * Security /
 * Security Advisories /
 * 
 * CVE-2022-3140


CVE-2022-3140

Title: Macro URL arbitrary script execution

Announced: October 11, 2022

Fixed in: LibreOffice 7.3.6/7.4.1

Description:

LibreOffice supports Office URI Schemes to enable browser integration of
LibreOffice with MS SharePoint server. An additional scheme
'vnd.libreoffice.command' specific to LibreOffice was added.

In the affected versions of LibreOffice links using that scheme could be
constructed to call internal macros with arbitrary arguments. Which when clicked
on, or activated by document events, could result in arbitrary script execution
without warning.

In versions >= 7.3.6 (and >= 7.4.1) such unwanted command URIs are blocked from 
execution.

Credits:

 * TheSecurityDev working with Trend Micro Zero Day Initiative

References:

    CVE-2022-3140


ABOUT US

 * Who are we?
 * Governance
 * Advisory Board Members
 * LibreOffice Certification
 * Licenses
 * Source Code
 * Security
 * Imprint
 * Credits
 * LibreOffice Timeline
 * Privacy Policy
 * Foundation's Reports
 * Merchandise
 * Read our blog


FOLLOW US

 * Our blog
 * @tdforg
 * @libreoffice
 * 
 * Mastodon
 * 
 * @AskLibreOffice
 * @LibreOfficeBugs
 * 

Mastodon

Impressum (Legal Info) | Datenschutzerklärung (Privacy Policy) | Statutes
(non-binding English translation) - Satzung (binding German version) | Copyright
information: Unless otherwise specified, all text and images on this website are
licensed under the Creative Commons Attribution-Share Alike 3.0 License. This
does not include the source code of LibreOffice, which is licensed under the
Mozilla Public License v2.0. “LibreOffice” and “The Document Foundation” are
registered trademarks of their corresponding registered owners or are in actual
use as trademarks in one or more countries. Their respective logos and icons are
also subject to international copyright laws. Use thereof is explained in our
trademark policy. LibreOffice was based on OpenOffice.org.