Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Several URI Schemes are defined for this purpose. Links can be activated by clicks, or by automatic document events. The execution of such links must be subject to user approval. In the affected versions of OpenOffice, approval for certain links is not requested; when activated, such links could therefore result in arbitrary script execution. This is a corner case of CVE-2022-47502.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
| Link | Tags |
|---|---|
| https://lists.apache.org/thread/ygp59swfcy6g46jf8v9s6qpwmxn8fsvb | vendor advisory mailing list |
| https://www.openoffice.org/security/cves/CVE-2023-47804.html | patch vendor advisory |
| http://www.openwall.com/lists/oss-security/2024/01/03/3 | third party advisory mailing list |