CVE-2022-3140: 
NixOS vulnerability analysis and mitigation

LibreOffice supports Office URI Schemes to enable browser integration with MS SharePoint server. A vulnerability was discovered in the additional scheme 'vnd.libreoffice.command' specific to LibreOffice. This vulnerability affects The Document Foundation LibreOffice versions 7.4 prior to 7.4.1 and 7.3 versions prior to 7.3.6 (LibreOffice Advisory).

The vulnerability exists within the parsing of document files where links using the 'vnd.libreoffice.command' scheme could be constructed to call internal macros with arbitrary arguments. The issue results from an exposed dangerous function. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L (NVD, ZDI Advisory).

When exploited, this vulnerability could result in arbitrary script execution without warning when a malicious link is clicked on or activated by document events. The impact affects confidentiality, integrity, and availability at a low level, requiring user interaction to exploit (NVD).

The vulnerability has been fixed in LibreOffice versions 7.3.6 and 7.4.1, where such unwanted command URIs are blocked from execution. Users are recommended to upgrade to these or later versions (LibreOffice Advisory, Debian Advisory).