Researcher Alex Inführ[1] disclosed a LibreOffice vulnerability (CVE-2018-16858) in versions 6.1.0-6.1.3.1 which shows that code injection is possible on Windows and Linux when a user hovers their mouse over a malicious URL.

Update: Tenable Research was able to confirm that this vulnerability is also exploitable on macOS by editing the Proof of Concept (PoC) code.

Proof of Concept video: https://youtu.be/gChvv570faQ

LibreOffice addressed the vulnerability in a previous release, and upgrading to the latest version[2] (6.1.4) should mitigate the vulnerability. If you are currently on LibreOffice’s Still Branch (6.0.x), you are not affected by this vulnerability as that branch does not support passing parameters.

Tenable will also be releasing plugins for this vulnerability, which will be available as they’re released[3].

[1]https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html

[2]https://www.libreoffice.org/download/download/

[3]https://www.tenable.com/plugins/search?q=%22CVE-2018-16858%22&sort=&page=1