Critical LibreOffice arbitrary script execution vulnerability allows taking control of the device with single click

LibreOffice is a free and open-source office productivity software suite, a project of The Document Foundation. It was forked in 2010 from OpenOffice.org, an open-sourced version of the earlier StarOffice.  The company has published a advisory of a critical vulnerability in its office product.

Macro URL arbitrary script execution : CVE-ID: CVE-2022-3140

Description

The flaw enables a remote adversary to run any shell commands they choose on the victim machine.

The flaw is caused by incorrect input verification during the “vnd.libreoffice.command'” URI scheme parameter parsing process. By creating a specially constructed document and deceiving the target into opening it, a remote adversary can run internal macros with any parameters.

This vulnerability may be totally exploited, which would compromise the system.

Mitigation

Install updates from Libreoffice webiste for these vulnerable software versions

LibreOffice: 7.4.0.1 – 7.4.0.3, 7.3.5.1 – 7.3.5.2, 7.3.4.1 – 7.3.4.2, 7.3.3.1 – 7.3.3.2, 7.3.2.1 – 7.3.2.2, 7.3.1.1 – 7.3.1.3, 7.3.0.1 – 7.3.0.3