Bad news for LibreOffice users, the popular free and open-source office suite is affected by an
Recently, LibreOffice released the latest version 6.2.5 that addresses two severe flaws tracked as CVE-2019-9848 and CVE-2019-9849.
The fix CVE-2019-9849 did not completely address the security researcher Alex Inführ explained hot to bypass it.
Below the description for the vulnerability CVE-2019-9848 published by the NIS National Vulnerability Database.
Alex Inführ did not disclose technical details about the technique he devised to bypass the fix but confirmed via Twitter that he was able to successfully exploit it in the latest LibreOffice version 6.2.5
The flaw resides in LibreLogo, a programmable turtle vector
The vulnerability can be exploited by attackers using specially crafted malicious LibreOffice document files that can result in the silent execution of arbitrary python commands without displaying any warning to the victim.
The vulnerability was first discovered by security expert Nils Emmerich that described the issue with the following statement:
The expert explained that using forms and OnFocus event, it is even possible to execute arbitrary code when the document is opened, without the need for a mouse-over event. The expert also published a proof-of-concept for this attack.
Waiting for final fix users are recommended to uninstall the LibreLogo component.