7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.217 Low
EPSS
Percentile
96.5%
LibreOffice is typically bundled with LibreLogo, a programmable turtle
vector graphics script, which can execute arbitrary python commands
contained with the document it is launched from. LibreOffice also has a
feature where documents can specify that pre-installed scripts can be
executed on various document script events such as mouse-over, etc.
Protection was added, to address CVE-2019-9848, to block calling LibreLogo
from script event handers. However an insufficient url validation
vulnerability in LibreOffice allowed malicious to bypass that protection
and again trigger calling LibreLogo from script event handlers. This issue
affects: Document Foundation LibreOffice versions prior to 6.2.6.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | libreoffice | < 1:6.0.7-0ubuntu0.18.04.9 | UNKNOWN |
ubuntu | 19.04 | noarch | libreoffice | < 1:6.2.6-0ubuntu0.19.04.1 | UNKNOWN |
ubuntu | 16.04 | noarch | libreoffice | < 1:5.1.6~rc2-0ubuntu1~xenial9 | UNKNOWN |
launchpad.net/bugs/cve/CVE-2019-9850
nvd.nist.gov/vuln/detail/CVE-2019-9850
seclists.org/bugtraq/2019/Aug/28
security-tracker.debian.org/tracker/CVE-2019-9850
ubuntu.com/security/notices/USN-4102-1
www.cve.org/CVERecord?id=CVE-2019-9850
www.libreoffice.org/about-us/security/advisories/CVE-2019-9850
www.libreoffice.org/about-us/security/advisories/cve-2019-9850/
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.217 Low
EPSS
Percentile
96.5%