Lucene search

PRIOn knowledge basePRION:CVE-2019-9855

HistorySep 06, 2019 - 7:15 p.m.

Design/Logic Flaw

2019-09-0619:15:00

PRIOn knowledge base

www.prio-n.com

9.4 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

74.7%

JSON

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added to block calling LibreLogo from script event handers. However a Windows 8.3 path equivalence handling flaw left LibreOffice vulnerable under Windows that a document could trigger executing LibreLogo via a Windows filename pseudonym. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1.

CPENameOperatorVersion
libreofficege6.2.0
libreofficelt6.2.7
libreofficege6.3.0
libreofficelt6.3.1
leapeq15.0
leapeq15.1

Name	Operator	Version
libreoffice	ge	6.2.0
libreoffice	lt	6.2.7
libreoffice	ge	6.3.0
libreoffice	lt	6.3.1
leap	eq	15.0
leap	eq	15.1

References

lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html

lists.opensuse.org/opensuse-security-announce/2019-10/msg00055.html

www.libreoffice.org/about-us/security/advisories/CVE-2019-9855/