CVE-2019-9853Improper Encoding or Escaping of Output in Foundation Libreoffice

CWE-116Improper Encoding or Escaping of OutputCWE-838Inappropriate Encoding for Output Context7 documents6 sources
Severity
7.8HIGHNVD
EPSS
0.3%
top 47.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Document Foundation LibreofficeLibreofficeDebian Libreoffice
Timeline
PublishedSep 27
Latest updateMay 24

Description

LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

CVEListV5document_foundation/libreoffice6.2 series6.2.7+1
debiandebian/libreoffice< libreoffice 1:6.3.0-1 (bookworm)
NVDlibreoffice/libreoffice6.2.06.2.6+1
Debianlibreoffice/libreoffice< 1:6.3.0-1+3

🔴Vulnerability Details

2
GHSA
GHSA-52vw-wff4-8w2j: LibreOffice documents can contain macros2022-05-24
OSV
CVE-2019-9853: LibreOffice documents can contain macros2019-09-27

📋Vendor Advisories

2
Red Hat
libreoffice: Insufficient URL decoding flaw in categorizing macro location2019-09-27
Debian
CVE-2019-9853: libreoffice - LibreOffice documents can contain macros. The execution of those macros is contr...2019

💬Community

2
Bugzilla
CVE-2019-9853 libreoffice: documents contain macros controlled by document security setting [fedora-all]2020-02-03
Bugzilla
CVE-2019-9853 libreoffice: Insufficient URL decoding flaw in categorizing macro location2020-02-03