Document Foundation Libreoffice vulnerabilities

CVE-2019-9853 [HIGH] CWE-116 CVE-2019-9853: LibreOffice documents can contain macros. The execution of those macros is controlled by the documen LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execu

CVE-2019-9855 [CRITICAL] CWE-417 CVE-2019-9855: LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Pr

CVE-2019-9852 [HIGH] CWE-116 CVE-2019-9852: LibreOffice has a feature where documents can specify that pre-installed macros can be executed on v LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to

CVE-2019-9848 [CRITICAL] CWE-94 CVE-2019-9848: LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature t

CVE-2019-9849 [MEDIUM] CVE-2019-9849: LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed where bullet graphics were omitted from this protection prior t

CVE-2019-9847 [HIGH] CWE-20 CVE-2019-9847: A vulnerability in LibreOffice hyperlink processing allows an attacker to construct documents contai A vulnerability in LibreOffice hyperlink processing allows an attacker to construct documents containing hyperlinks pointing to the location of an executable on the target users file system. If the hyperlink is activated by the victim the executable target is unconditionally launched. Under Windows and macOS when processing a hyperlink target explicitly

CVE-2018-16858 [CRITICAL] CWE-356 CVE-2018-16858: It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to a directory traversa It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to a directory traversal attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a document, which when opened by LibreOffice, would execute a Python method from a script in any arbitrary file system location, specified rela