Allele Security Alert
ASA-2019-00458
Identifier(s)
ASA-2019-00458, CVE-2019-9848
Title
LibreLogo arbitrary script execution
Vendor(s)
The Document Foundation
Product(s)
LibreOffice
Affected version(s)
LibreOffice versions before 6.2.5
Fixed version(s)
LibreOffice version 6.2.5
Proof of concept
Unknown
Description
LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands.
Technical details
Unknown
Credits
Nils Emmerich (ERNW Research GmbH)
Reference(s)
CVE-2019-9848
https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9848
LibreOffice — A Python Interpreter (code execution vulnerability CVE-2019–9848)
https://medium.com/@hungrybytes/libreoffice-a-python-interpreter-code-execution-vulnerability-cve-2019-9848-4daf195639f
CVE-2019-9848
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9848
CVE-2019-9848
https://nvd.nist.gov/vuln/detail/CVE-2019-9848
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: July 28, 2019