[tdf-discuss] security related information, CVE-2022-3140

Caolán McNamara <caolanm -AT- redhat.com>

Tue, 11 Oct 2022 14:16:41 +0100

tl;dr: Upgrade to 7.3.6 or 7.4.1 CVE-2022-3140: Macro URL arbitrary script execution LibreOffice supports Office URI Schemes to enable browser integration of LibreOffice with MS SharePoint server. An additional scheme 'vnd.libreoffice.command' specific to LibreOffice was added. In the affected versions of LibreOffice links using that scheme could be constructed to call internal macros with arbitrary arguments. Which when clicked on, or activated by document events, could result in arbitrary script execution without warning. https://www.libreoffice.org/about-us/security/advisories/CVE-2022-3140 -- To unsubscribe e-mail to: discuss+unsubscribe@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy

Context

[tdf-discuss] security related information, CVE-2022-3140 · Caolán McNamara

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.