CVE-2019-9855 Windows 8.3 path equivalence handling flaw allows LibreLogo script execution

2019-09-0600:00:00

Document Fdn.

www.cve.org

9.5 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

74.7%

JSON

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added to block calling LibreLogo from script event handers. However a Windows 8.3 path equivalence handling flaw left LibreOffice vulnerable under Windows that a document could trigger executing LibreLogo via a Windows filename pseudonym. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1.

CNA Affected

[
  {
    "product": "LibreOffice",
    "vendor": "Document Foundation",
    "versions": [
      {
        "lessThan": "6.2.7",
        "status": "affected",
        "version": "6.2",
        "versionType": "custom"
      },
      {
        "lessThan": "6.3.1",
        "status": "affected",
        "version": "6.3",
        "versionType": "custom"
      }
    ]
  }
]