CVE-2019-9853

Name of the Vulnerable Software and Affected Versions LibreOffice versions 6.2.0 through 6.2.6 LibreOffice versions 6.3.0 through 6.3.0

Description A URL decoding flaw existed in how the URLs to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution. This issue may allow a remote attacker to gain unauthorized access to confidential data, cause a denial of service, or impact data integrity.

Recommendations For LibreOffice 6.2 series versions prior to 6.2.7, update to version 6.2.7 or later. For LibreOffice 6.3 series versions prior to 6.3.1, update to version 6.3.1 or later. As a temporary workaround, consider disabling macro execution in the document security settings until a patch is available. Restrict access to documents containing macros to minimize the risk of exploitation.