ASA-2019-00263 – LibreOffice: Executable hyperlink targets executed unconditionally on activation

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00263

Identifier(s)

ASA-2019-00263, CVE-2019-9847

Title

Executable hyperlink targets executed unconditionally on activation

Vendor(s)

The Document Foundation

Product(s)

LibreOffice

Affected version(s)

LibreOffice prior to 6.1.6 and 6.2.3

Fixed version(s)

LibreOffice versions 6.1.6 and 6.2.3

Proof of concept

Unknown

Description

Before 6.1.6/6.2.3 under Windows and macOS when processing a hyperlink target explicitly activated by the user there was no judgment made on whether the target was an executable file, so such executable targets were launched unconditionally.

Technical details

Unknown

Credits

Zhongcheng Li (Pox Security Team)

Reference(s)

CVE-2019-9847 | LibreOffice – Free Office Suite – Fun Project – Fantastic People
https://www.libreoffice.org/about-us/security/advisories/cve-2019-9847/

CVE-2019-9847
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9847

CVE-2019-9847
https://nvd.nist.gov/vuln/detail/CVE-2019-9847

 

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: May 13, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.