CVE-2019-9850

Name of the Vulnerable Software and Affected Versions Document Foundation LibreOffice versions prior to 6.2.6

Description The issue is caused by insufficient URL validation in LibreOffice, which allows malicious actors to bypass protection and execute arbitrary python commands contained within a document. This can be triggered through script event handlers, such as mouse-over events, and can lead to the execution of arbitrary code in the target system. The vulnerability is related to the LibreLogo programmable turtle vector graphics script, which is typically bundled with LibreOffice.

Recommendations For versions prior to 6.2.6, update to version 6.2.6 or later to resolve the issue. As a temporary workaround, consider disabling the execution of pre-installed scripts from document script events to minimize the risk of exploitation. Restrict access to the LibreLogo script to prevent malicious actors from executing arbitrary code. Avoid opening documents from untrusted sources, as they may contain specially crafted files that can exploit this vulnerability.