CVE-2019-9851

Name of the Vulnerable Software and Affected Versions Document Foundation LibreOffice versions prior to 6.2.6

Description The issue is related to LibreLogo, a programmable turtle vector graphics script in LibreOffice, which can execute arbitrary python commands contained within the document it is launched from. Initially, protection was added to block calling LibreLogo from document event script handlers, such as mouse over, to address a previous issue. However, LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various global script events, such as document-open. This feature was not properly validated, allowing potential exploitation. The vulnerability can be exploited by sending a specially crafted document, enabling a remote attacker to execute arbitrary code in the target system.

Recommendations For versions prior to 6.2.6, update to version 6.2.6 or later to resolve the issue. As a temporary workaround, consider disabling the execution of global script event handlers until a patch is available. Restrict access to documents that may contain malicious scripts to minimize the risk of exploitation. Avoid using the feature that allows documents to specify the execution of pre-installed scripts on global script events until the issue is resolved.