CVE-2023-47804 in OpenOffice
Summary
by MITRE • 12/29/2023
Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Several URI Schemes are defined for this purpose. Links can be activated by clicks, or by automatic document events. The execution of such links must be subject to user approval. In the affected versions of OpenOffice, approval for certain links is not requested; when activated, such links could therefore result in arbitrary script execution. This is a corner case of CVE-2022-47502.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/04/2026
Apache OpenOffice vulnerability CVE-2023-47804 represents a critical security flaw in document processing software that enables unauthorized macro execution through specially crafted document links. This vulnerability specifically affects versions of Apache OpenOffice where the application fails to properly validate and request user consent for certain URI scheme links that trigger internal macro execution. The flaw operates by leveraging the document's hyperlink functionality to invoke macros with arbitrary arguments, bypassing normal security controls that should require explicit user approval before executing potentially malicious code.
The technical implementation of this vulnerability stems from improper handling of URI schemes within OpenOffice documents, particularly those designed to call internal macros. When documents contain links using specific URI schemes, these links can automatically execute macros without prompting the user for confirmation. This behavior constitutes a direct violation of standard security practices for document processing applications, as it removes the essential user consent mechanism that protects against unauthorized code execution. The vulnerability is particularly concerning because it affects automatic document events, meaning macros can execute without any user interaction beyond opening the document, and also through manual clicks on malicious links.
The operational impact of CVE-2023-47804 extends beyond simple macro execution, creating potential for full system compromise when malicious documents are opened. Attackers can craft documents that contain embedded links designed to execute arbitrary scripts with elevated privileges, potentially leading to data exfiltration, system persistence, or further exploitation. The vulnerability's classification as a corner case of CVE-2022-47502 indicates it shares underlying architectural flaws in the URI scheme handling logic, though it manifests through a more specific set of conditions. This vulnerability directly relates to CWE-78 and CWE-79, which address command injection and cross-site scripting vulnerabilities respectively, as both involve the execution of untrusted code through user-controllable inputs.
Mitigation strategies for this vulnerability must address both immediate protection and long-term architectural fixes. Users should immediately update to patched versions of Apache OpenOffice where the URI scheme validation has been properly implemented to require explicit user consent for macro execution. Organizations should implement document scanning policies that identify and quarantine documents containing suspicious URI schemes, particularly those that could trigger macro execution. Security teams should also consider implementing application whitelisting controls that restrict the execution of macros to trusted sources only. The ATT&CK framework's T1059.007 technique for "Command and Scripting Interpreter: PowerShell" and T1204.002 for "User Execution: Malicious File" are relevant to understanding how this vulnerability could be exploited in targeted attacks, as it enables both automated and user-initiated malicious code execution through document-based delivery mechanisms.