Bad news for LibreOffice users, the popular free and open-source office suite is affected by an
Recently, LibreOffice released the latest version 6.2.5 that addresses two severe flaws tracked as CVE-2019-9848 and CVE-2019-9849.
The fix CVE-2019-9849 did not completely address the security researcher Alex Inführ explained hot to bypass it.
Below the description for the vulnerability CVE-2019-9848 published by the NIS National Vulnerability Database.
Alex Inführ did not disclose technical details about the technique he devised to bypass the fix but confirmed via Twitter that he was able to successfully exploit it in the latest LibreOffice version 6.2.5
The flaw resides in LibreLogo, a programmable turtle vector
The vulnerability can be exploited by attackers using specially crafted malicious LibreOffice document files that can result in the silent execution of arbitrary python commands without displaying any warning to the victim.
The vulnerability was first discovered by security expert Nils Emmerich that described the issue with the following statement:
The expert explained that using forms and OnFocus event, it is even possible to execute arbitrary code when the document is opened, without the need for a mouse-over event. The expert also published a proof-of-concept for this attack.
Waiting for final fix users are recommended to uninstall the LibreLogo component.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.