======================================================================

                               CERT-Renater

                    Note d'Information No. 2024/VULN250
_____________________________________________________________________

DATE                : 16/05/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running LibreOffice versions prior to
                                     7.6.7/24.2.3.

=====================================================================
https://www.libreoffice.org/about-us/security/advisories/cve-2024-3044/
_____________________________________________________________________

CVE-2024-3044

Title: CVE-2024-3044: Graphic on-click binding allows unchecked
script execution

Announced: May 14, 2024

Fixed in: LibreOffice 7.6.7/24.2.3


Description:

LibreOffice supports binding scripts to click events on graphics. In
affected version of LibreOffice there are scenarios where built-in
scripts can be executed without warning if the user clicks on a
document with such on-click handlers.

In early versions of LibreOffice these scripts were deemed trusted,
but are now deemed untrusted.

In the fixed versions the user's explicit macro execution permissions
for the document, determined at load time, are used for these handlers.

Users are recommended to upgrade to 7.6.7 or 24.2.3 to avoid this flaw.


Credit:

Thanks to Amel Bouziane-Leblond for for finding and reporting this
issue.
Thanks to Collabora Productivity for providing a fix.


References:

     CVE-2024-3044


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================