|
|||
Rule General Information |
---|
Release Date: | 2019-08-05 | |
Rule Name: | LibreOffice LibreLogo Arbitrary Code Execution Vulnerability (CVE-2019-9848) | |
Severity: | ||
CVE ID: | ||
Rule Protection Details |
---|
Description: | LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5. | |
Impact: | An attacker can execute arbitrary code via a successful exploit in the context of the vulnerable software. | |
Affected OS: | Windows, Android, Others | |
Reference: | SecurityFocusBID:109374 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XPTZJCNN52VNGSVC5DFKVW3EDMRDWKMP/ https://usn.ubuntu.com/4063-1/ https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9848 |
|
Solutions |
---|
The vendors have released upgrade patches to fix vulnerabilities, please visit: https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9848 |