Executive Summary

Informations
Name CVE-2019-9848 First vendor Publication 2019-07-17
Vendor Cve Last vendor Modification 2024-11-21

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 9.8
Base Score 9.8 Environmental Score 9.8
impact SubScore 5.9 Temporal Score 9.8
Exploitabality Sub Score 3.9
 
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9848

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-94 Failure to Control Generation of Code ('Code Injection')

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 417
Os 3
Os 1
Os 2
Os 2

Snort® IPS/IDS

Date Description
2019-11-26 LibreOffice office document arbitrary script execution attempt
RuleID : 52000 - Revision : 1 - Type : FILE-OTHER
2019-11-26 LibreOffice office document arbitrary script execution attempt
RuleID : 51999 - Revision : 1 - Type : FILE-OTHER

Metasploit Database

id Description
2019-07-16 LibreOffice Macro Python Code Execution

Sources (Detail)

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html
http://www.securityfocus.com/bid/109374
https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://seclists.org/bugtraq/2019/Aug/28
https://security.gentoo.org/glsa/201908-13
https://usn.ubuntu.com/4063-1/
https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9848
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Date Informations
2024-11-28 13:37:05
  • Multiple Updates
2023-11-07 21:39:36
  • Multiple Updates
2022-04-18 21:23:23
  • Multiple Updates
2021-08-05 01:36:01
  • Multiple Updates
2021-07-21 17:24:58
  • Multiple Updates
2021-05-04 13:43:01
  • Multiple Updates
2021-04-22 02:54:38
  • Multiple Updates
2020-05-23 13:17:11
  • Multiple Updates
2020-05-23 02:34:30
  • Multiple Updates
2019-10-07 12:01:56
  • Multiple Updates
2019-09-26 12:11:48
  • Multiple Updates
2019-09-10 12:11:27
  • Multiple Updates
2019-09-03 12:04:05
  • Multiple Updates
2019-08-25 12:03:08
  • Multiple Updates
2019-08-16 13:19:41
  • Multiple Updates
2019-08-16 00:19:39
  • Multiple Updates
2019-07-30 00:19:16
  • Multiple Updates
2019-07-27 12:10:41
  • Multiple Updates
2019-07-19 09:19:02
  • Multiple Updates
2019-07-18 05:18:49
  • Multiple Updates
2019-07-17 17:18:51
  • First insertion