6.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
0.002 Low
EPSS
Percentile
56.2%
LibreOffice supports Office URI Schemes to enable browser integration of
LibreOffice with MS SharePoint server. An additional scheme
‘vnd.libreoffice.command’ specific to LibreOffice was added. In the
affected versions of LibreOffice links using that scheme could be
constructed to call internal macros with arbitrary arguments. Which when
clicked on, or activated by document events, could result in arbitrary
script execution without warning. This issue affects: The Document
Foundation LibreOffice 7.4 versions prior to 7.4.1; 7.3 versions prior to
7.3.6.
Author | Note |
---|---|
mdeslaur | This is fixed in (1:7.3.6-0ubuntu0.22.04.1) in jammy, but is not yet in the security pocket. Fourth commit is in 7.3.7, appears related and used by Debian, possibly not needed to fix the CVE. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | libreoffice | < 1:6.0.7-0ubuntu0.18.04.12 | UNKNOWN |
ubuntu | 20.04 | noarch | libreoffice | < 1:6.4.7-0ubuntu0.20.04.6 | UNKNOWN |
ubuntu | 22.04 | noarch | libreoffice | < 1:7.3.6-0ubuntu0.22.04.2 | UNKNOWN |