Announced: August 21, 2014
Fixed in: LibreOffice 4.2.6-secfix/4.3.1
The vulnerability allows an attacker to send a document which when opened will trigger the prompt to "Update Links" but if the user cancels that prompt may still generate and insert into the document an OLE2 preview image of a file on the victims filesystem, Data exposure is possible if the updated document is then distributed to other parties.
All users are recommended to upgrade to LibreOffice 4.2.6-secfix or 4.3.1.
Thanks to Malte Timmermann of Open-Xchange for discovering this flaw.