CVE-2019-9848

Name of the Vulnerable Software and Affected Versions Document Foundation LibreOffice versions prior to 6.2.5

Description The issue allows a malicious document to execute arbitrary python commands silently without warning by using the document event feature to trigger LibreLogo to execute python contained within a document. This is possible due to the presence of mechanisms in the LibreLogo module that launch software algorithms in the Python language when a malicious object is hovered over. Exploitation of this issue may allow a remote attacker to execute arbitrary code on the target system by sending a specially crafted document in formats such as .doc, .docx, .xls, .xlsx, .ppt, .pptx.

Recommendations For versions prior to 6.2.5, update to version 6.2.5 or later, where LibreLogo cannot be called from a document event handler, to resolve the issue. As a temporary workaround, consider disabling the use of LibreLogo in document event handlers until a patch is available. Restrict access to documents from untrusted sources to minimize the risk of exploitation.