CVE-2019-9854

Name of the Vulnerable Software and Affected Versions LibreOffice versions 6.2 prior to 6.2.7 LibreOffice versions 6.3 prior to 6.3.1

Description The issue is related to how LibreOffice handles script events, such as mouse-over and document-open, where pre-installed macros can be executed. A flaw in the path verification step allows an attacker to bypass protection and execute scripts in arbitrary locations on the file system. This is done by exploiting a flaw in how LibreOffice assembles the final script URL location from components of the passed-in path, rather than solely from the sanitized output of the path verification step. The estimated number of potentially affected devices worldwide is not specified.

Recommendations For LibreOffice versions 6.2 prior to 6.2.7, update to version 6.2.7 or later. For LibreOffice versions 6.3 prior to 6.3.1, update to version 6.3.1 or later. As a temporary workaround, consider restricting access to scripts under the share/Scripts/python and user/Scripts/python sub-directories of the LibreOffice install to minimize the risk of exploitation.