CVE-2019-9847 — Improper Input Validation in Foundation Libreoffice

CWE-20 — Improper Input Validation3 documents3 sources

Severity

7.8HIGHNVD

EPSS

0.2%

top 53.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Document Foundation Libreoffice Libreoffice Debian Libreoffice

Timeline

PublishedMay 9

Latest updateMay 24

Description

A vulnerability in LibreOffice hyperlink processing allows an attacker to construct documents containing hyperlinks pointing to the location of an executable on the target users file system. If the hyperlink is activated by the victim the executable target is unconditionally launched. Under Windows and macOS when processing a hyperlink target explicitly activated by the user there was no judgment made on whether the target was an executable file, so such executable targets were launched uncondit…

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶NVDlibreoffice/libreoffice6.2 — 6.2.3+1

▶CVEListV5document_foundation/libreofficeunspecified — 6.1.6+1

▶debiandebian/libreoffice

🔴Vulnerability Details

GHSA

GHSA-cxqx-7gmj-4vg7: A vulnerability in LibreOffice hyperlink processing allows an attacker to construct documents containing hyperlinks pointing to the location of an exe↗2022-05-24

▶

📋Vendor Advisories

Debian

CVE-2019-9847: libreoffice - A vulnerability in LibreOffice hyperlink processing allows an attacker to constr...↗2019

▶