Announced: August 21, 2014
Fixed in: LibreOffice 4.2.6-secfix/4.3.1
The vulnerability allows command injection when loading Calc spreadsheets under Windows. Specially crafted documents can be used for command-injection attacks. Other operating systems are not affected.
Windows users are recommended to upgrade their LibreOffice to 4.2.6-secfix or 4.3.1
Thanks to Rohan Durve and James Kettle of Context Information Security for discovering this flaw.