CVE-2019-9850 vulnerability in LibreOffice and Other Products
Published on August 15, 2019
Insufficient url validation allowing LibreLogo script execution
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
Products Associated with CVE-2019-9850
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2019-9850 are published in these products:
Affected Versions
Document Foundation LibreOffice:- Version unspecified and below 6.2.6 is affected.
Exploit Probability
EPSS
2.91%
Percentile
86.37%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.