In the free office package Libreoffice, vulnerability (cve-2022-3140 ), which allows organizing arbitrary scripts when clicking on a specially prepared link in the document or when triggered by a certain event While working with the document. The problem is eliminated in the updates of Libreoffice 7.3.6 and 7.4.1.
Vulnerability is caused by the addition of support for an additional macros call scheme ‘vnd.libreoffice.command’, specific to Libreoffice. This scheme can also be used in URI used to integrate Libreoffice with the MS SharePoint server. The attacker can use such URI to create links that cause any internal macros with arbitrary arguments. When clicking or activating an event in the document, such links can be used to launch scripts without the conclusion of a warning to the user.