CVE-2024-3044: 
LibreOffice vulnerability analysis and mitigation

CVE-2024-3044 affects LibreOffice's graphic on-click binding functionality. The vulnerability was discovered on May 14, 2024, and allows an attacker to create a document that executes built-in LibreOffice scripts without prompting when a user clicks on a graphic. The vulnerability affects various versions of LibreOffice prior to versions 7.6.7 and 24.2.3 (LibreOffice Advisory).

The vulnerability stems from LibreOffice's feature that supports binding scripts to click events on graphics. In affected versions, there are scenarios where built-in scripts, which were previously considered trusted but are now deemed untrusted, can be executed without warning when a user clicks on a document with such on-click handlers. The CVSS v3.1 base score is 6.5 (Medium), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L (NVD).

If exploited, this vulnerability could allow an attacker to execute arbitrary scripts built into LibreOffice when a user clicks on a specially crafted graphic within a document. This could potentially lead to unauthorized script execution and compromise the security of the affected system (Ubuntu Security).

The vulnerability has been fixed in LibreOffice versions 7.6.7 and 24.2.3. In the fixed versions, the user's explicit macro execution permissions for the document, determined at load time, are used for these handlers. Users are strongly recommended to upgrade to these versions or later to mitigate the vulnerability (LibreOffice Advisory).

The vulnerability was discovered and reported by Amel Bouziane-Leblond, with Collabora Productivity providing the fix. Multiple Linux distributions have released security updates to address this vulnerability, including Ubuntu, Debian, and Fedora (Debian LTS, Fedora Update).