Your submission was sent successfully! Close

CVE-2019-9850

Published: 15 August 2019

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
libreoffice
Launchpad, Ubuntu, Debian
bionic
Released (1:6.0.7-0ubuntu0.18.04.9)
disco
Released (1:6.2.6-0ubuntu0.19.04.1)
precise Does not exist

trusty Does not exist

upstream
Released (1:6.3.0-1)
xenial
Released (1:5.1.6~rc2-0ubuntu1~xenial9)