|
|
|||
| Rule General Information |
|---|
| Release Date: | 2019-08-05 | |
| Rule Name: | LibreOffice LibreLogo Arbitrary Code Execution Vulnerability (CVE-2019-9848) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5. | |
| Impact: | An attacker can execute arbitrary code via a successful exploit in the context of the vulnerable software. | |
| Affected OS: | Windows, Android, Others | |
| Reference: | SecurityFocusBID:109374 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XPTZJCNN52VNGSVC5DFKVW3EDMRDWKMP/ https://usn.ubuntu.com/4063-1/ https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9848 |
|
| Solutions |
|---|
| The vendors have released upgrade patches to fix vulnerabilities, please visit: https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9848 |