QwikSec

Security Database

CVE

CWE

Training

CVE-2019-9848

Published: Jul 17, 2019

Modified: Sep 16, 2024

PUBLISHED

Description

LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.

Vendor	Product	Versions
Document Foundation	LibreOffice	affected `unspecified - < 6.2.5`

References

https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9848

x_refsource_CONFIRM

vendor-advisory

x_refsource_UBUNTU

FEDORA-2019-5561d20558

vendor-advisory

x_refsource_FEDORA

vdb-entry

x_refsource_BID

vendor-advisory

x_refsource_GENTOO

20190815 [SECURITY] [DSA 4501-1] libreoffice security update

mailing-list

x_refsource_BUGTRAQ

FEDORA-2019-2fe22a3a2c

vendor-advisory

x_refsource_FEDORA

openSUSE-SU-2019:2057

vendor-advisory

x_refsource_SUSE

openSUSE-SU-2019:2183

vendor-advisory

x_refsource_SUSE

[debian-lts-announce] 20191006 [SECURITY] [DLA 1947-1] libreoffice security update

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.