The flaw resides in LibreLogo, a programmable turtle vector graphics script that ships by default with LibreOffice. LibreLogo allows users to specify pre-installed scripts in a document that can be executed when some events occur.
The flaw can be exploited by attackers using specially crafted malicious LibreOffice document files that can result in the silent execution of arbitrary python commands without displaying any warning to the victim.
The vulnerability was first discovered by security expert Nils
Unfortunately, the patch did not completely address the issue, at least two separate security researchers found a way to bypass it and trigger the
An attacker can chain the three vulnerabilities to remotely execute malicious commands on a targeted computer by tricking the victim into opening a maliciously-crafted document.
Don’t waste time, update your LibreOffice to the latest version.
(SecurityAffairs – LibreOffice, hacking)