Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2018-16858Product UI does not Warn User of Unsafe Actions in Foundation Libreoffice

CWE-356Product UI does not Warn User of Unsafe ActionsCWE-22Path TraversalCWE-116Improper Encoding or Escaping of Output23 documents12 sources
Severity
9.8CRITICALNVD
NVD7.8CNA7.8OSV7.8
EPSS
92.3%
top 0.27%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
7
Document Foundation LibreofficeLibreofficeDebian Libreoffice+4 more
Timeline
PublishedMar 25
Latest updateMay 24

Description

It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a document, which when opened by LibreOffice, would execute a Python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages6 packages

CVEListV5document_foundation/libreoffice6.26.2.7+2
debiandebian/libreoffice< libreoffice 1:6.1.3-1 (bookworm)+1
NVDlibreoffice/libreoffice6.1.06.1.3+2
Debianlibreoffice/libreoffice< 1:6.3.0-1+7
Ubuntulibreoffice/libreoffice< 1:4.2.8-0ubuntu5.5+1

Also affects: Debian Linux 10.0, 8.0, 9.0, Fedora 29, Ubuntu Linux 16.04, 18.04, 19.04

🔴Vulnerability Details

7
GHSA
GHSA-vgrf-j225-8963: LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-2022-05-24
GHSA
GHSA-v39m-j232-p3qr: It was found that libreoffice before versions 62022-05-14
OSV
CVE-2019-9852: LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-2019-08-15
CVEList
Insufficient URL encoding flaw in allowed script location check2019-08-15
CVEList
CVE-2018-16858: It was found that libreoffice before versions 62019-03-25

💥Exploits & PoCs

3
Exploit-DB
LibreOffice < 6.2.6 Macro - Python Code Execution (Metasploit)2019-08-21
Exploit-DB
LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)2019-04-18
Metasploit
LibreOffice Macro Code Execution

🔍Detection Rules

1
Suricata
ET EXPLOIT LibreOffice pydoc RCE Inbound (CVE-2018-16858)2021-07-27

📋Vendor Advisories

5
Red Hat
libreoffice: Insufficient URL encoding flaw in allowed script location check2019-08-15
Ubuntu
LibreOffice vulnerabilities2019-02-06
Red Hat
libreoffice: Arbitrary python functions in arbitrary modules on the filesystem can be executed without warning2019-02-01
Debian
CVE-2019-9852: libreoffice - LibreOffice has a feature where documents can specify that pre-installed macros ...2019
Debian
CVE-2018-16858: libreoffice - It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to ...2018

🕵️Threat Intelligence

2
Tenable
LibreOffice Vulnerable to Code Execution in URL Mouseover Preview Feature2019-02-01
Tenable
LibreOffice Vulnerable to Code Execution in URL Mouseover Preview Feature2019-02-01

💬Community

3
Bugzilla
CVE-2019-9852 libreoffice: Insufficient URL encoding flaw in allowed script location check2019-08-23
Bugzilla
CVE-2018-16858 libreoffice: Arbitrary python functions in arbitrary modules on the filesystem can be executed without warning [fedora-all]2019-02-03
Bugzilla
CVE-2018-16858 libreoffice: Arbitrary python functions in arbitrary modules on the filesystem can be executed without warning2018-11-14