Home > Vulnerability Database > CVE-2019-9850

Mend.io Vulnerability Database

CVE-2019-9850

Good to know:

Date: August 15, 2019

LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.

Language: C

Severity Score

9.8

Related Resources (15)

Url: http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.html

Url: https://access.redhat.com/security/cve/CVE-2019-9850

Url: https://security.alpinelinux.org/vuln/CVE-2019-9850

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9850

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PMEGUWMWORC3DOVEHVXLFT3A5RSCMLBH/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WVSDPZJG3UA43X3JXRHJAWXLDZEW77LM/

Url: https://usn.ubuntu.com/4102-1/

Url: https://nvd.nist.gov/vuln/detail/CVE-2019-9850

Url: https://seclists.org/bugtraq/2019/Aug/28

Url: https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9850

Url: https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html

Url: https://www.debian.org/security/2019/dsa-4501

Url: http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html

Url: https://security-tracker.debian.org/tracker/CVE-2019-9850

Url: https://www.mend.io/vulnerability-database/CVE-2019-9850

Severity Score

9.8

Weakness Type (CWE)

Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version 6.2.6

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	7.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2019-9850

Good to know:

Date: August 15, 2019

Language: C

Severity Score

Related Resources (15)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?