security@documentfoundation.org reports:
LibreOffice supports Office URI Schemes to enable browser integration
of LibreOffice with MS SharePoint server. An additional scheme
'vnd.libreoffice.command' specific to LibreOffice was
added. In the affected versions of LibreOffice a link in a browser
using that scheme could be constructed with an embedded inner URL
that when passed to LibreOffice could call internal macros with
arbitrary arguments. This issue affects LibreOffice: from 24.8
before < 24.8.5, from 25.2 before < 25.2.1.