CVE-2019-9855

2019-09-0619:15:12

Google

osv.dev

7.1 High

AI Score

Confidence

Low

0.004 Low

EPSS

Percentile

74.7%

JSON

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added to block calling LibreLogo from script event handers. However a Windows 8.3 path equivalence handling flaw left LibreOffice vulnerable under Windows that a document could trigger executing LibreLogo via a Windows filename pseudonym. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1.

CPENameOperatorVersion
coreeqcp-6.2-branch-point
coreeqlibreoffice-4-2-milestone-1
coreeqlibreoffice-4-0-branch-point
coreeqlibreoffice-5-1-branch-point
coreeqCODE-4.2.0-1
coreeqlibreoffice-3.5.0.0
coreeqlibreoffice-4-3-branch-point
coreeqlibreoffice-4-1-branch-point
coreeqlibs-extern_libreoffice-3.4.2.2-buildfix1
coreeqlibreoffice-5-2-branch-point

Name	Operator	Version
core	eq	cp-6.2-branch-point
core	eq	libreoffice-4-2-milestone-1
core	eq	libreoffice-4-0-branch-point
core	eq	libreoffice-5-1-branch-point
core	eq	CODE-4.2.0-1
core	eq	libreoffice-3.5.0.0
core	eq	libreoffice-4-3-branch-point
core	eq	libreoffice-4-1-branch-point
core	eq	libs-extern_libreoffice-3.4.2.2-buildfix1
core	eq	libreoffice-5-2-branch-point