CVE-2019-9853
HIGHLibreOffice 6.2.0-6.2.6 - Macro Execution Bypass via URL Decoding Flaw
Title source: llmDescription
LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7; LibreOffice 6.3 series versions prior to 6.3.1.
References (17)
Core 17
Core References
Vendor Advisory x_refsource_confirm
https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9853/
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQGBRSD73KTDZ2MPAOL7FBWO3SQVYE5B/
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/3a5570ca5cd14ad08e24684c71cfeff3a507f108fe3cf30ba4f58226%40%3Ccommits.openoffice.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/4ae0e6e52600f408d943ded079d314733ce188b04b04471464f89c4f%40%3Ccommits.openoffice.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/7394e6b5f78a878bd0c44e9bc9adf90b8cdf49e9adc0f287145aba9b%40%3Ccommits.openoffice.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/a540d1b6f9a7ebb206adba02839f654a6ee63a7b0976f559a847e49a%40%3Ccommits.openoffice.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/a5231ad45b030b54828c7b0b62a7e7d4b48481c7cb83ff628e07fa43%40%3Ccommits.openoffice.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/9dc85d9937ad7f101047c53f78c00e8ceb135eaeff7dcf4724b46f2c%40%3Ccommits.openoffice.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/70da9481dca267405e1d79e53942264765ef3f55c9a563c3737e3926%40%3Ccommits.openoffice.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/ca216900abd846f0220fe18b95f9f787bdbe0e87fa4eee822073cd69%40%3Ccommits.openoffice.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/27339e8a9a1e9bb47fbdb939b338256d0356250a1974aaf4d774f683%40%3Ccommits.openoffice.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/19c917f7c8a0d8f62142046fabfe3e2c7d6091ef1f92b99c6e79e24e%40%3Ccommits.openoffice.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/306a374361891eb17c6cffc99c3d7be1d3152a99c839d4231edc1631%40%3Ccommits.openoffice.apache.org%3E
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00040.html
Mailing List mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2020/Feb/23
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/156474/Open-Xchange-App-Suite-Documents-Server-Side-Request-Forgery.html
Scores
CVSS v3
7.8
EPSS
0.0321
EPSS Percentile
86.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-116
Status
published
Products (1)
libreoffice/libreoffice
6.2.0 - 6.2.6
Published
Sep 27, 2019
Tracked Since
Feb 18, 2026