CVE-2019-9850
Insufficient url validation allowing LibreLogo script execution
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
We have discovered 2,159 live websites that are affected by CVE-2019-9850.
Affected Software
| Product | |
| Category | Content Management System |
| Vulnerable Versions |
|
| Total Vulnerable Versions | 195 |
| Vulnerable Domains | 2,159 live websites (64.01% of LibreOffice install base) |
Details
- Published - Aug 15, 2019
- Updated - Oct 6, 2019
Credits
- Thanks to alex (@insertscript) for reporting this issue
CVE References
CWE References
Countries
 United States | 392 websites |
 Germany | 685 websites |
 France | 139 websites |
 Italy | 96 websites |
 GB | 71 websites |
 Poland | 54 websites |
 Czech Republic | 52 websites |
 Denmark | 51 websites |
 Netherlands | 50 websites |
 Russia | 42 websites |
TLDs
| .de | 545 websites |
| .com | 503 websites |
| .org | 155 websites |
| .net | 104 websites |
| .fr | 68 websites |
| .it | 60 websites |
| .dk | 45 websites |
| .pl | 40 websites |
| .nl | 38 websites |
| .co.uk | 37 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redReferences
- https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9850
- https://seclists.org/bugtraq/2019/Aug/28
- https://www.debian.org/security/2019/dsa-4501
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WVSDPZJG3UA43X3JXRHJAWXLDZEW77LM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PMEGUWMWORC3DOVEHVXLFT3A5RSCMLBH/
- https://usn.ubuntu.com/4102-1/
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00005.html
Websites affected by CVE-2019-9850
Top websites that are affected by CVE-2019-9850. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***.*****.bg |  Bulgaria | ***,*** | |
| **************.*******.de | Germany | ***,*** | |
| *****************.de | Germany | ***,*** | |
| ********.com | United States | ***,*** | |
| ******.cz | Czech Republic | ***,*** | |
| ***.****.br |  Brazil | ***,*** | |
| ******.*******.de | Germany | ***,*** | |
| *****************.cz | Czech Republic | ***,*** | |
| ************************.com | United States | ***,*** | |
| **********.com | United States | ***,*** |