CVE-2019-9855
Windows 8.3 path equivalence handling flaw allows LibreLogo script execution
LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added to block calling LibreLogo from script event handers. However a Windows 8.3 path equivalence handling flaw left LibreOffice vulnerable under Windows that a document could trigger executing LibreLogo via a Windows filename pseudonym. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1.
We have discovered 63 live websites that are affected by CVE-2019-9855.
Affected Software
| Product | |
| Category | Content Management System |
| Vulnerable Versions |
|
| Total Vulnerable Versions | 195 |
| Vulnerable Domains | 63 live websites (1.87% of LibreOffice install base) |
Details
- Published - Sep 6, 2019
- Updated - Oct 22, 2019
Credits
- Thanks to alex (@insertscript) for reporting this issue
CVE References
CWE References
Countries
 United States | 7 websites |
 Germany | 24 websites |
 Spain | 5 websites |
 Italy | 4 websites |
 Denmark | 3 websites |
 France | 3 websites |
 GB | 3 websites |
 Poland | 2 websites |
 Argentina | 1 websites |
TLDs
| .de | 20 websites |
| .com | 13 websites |
| .org | 4 websites |
| .net | 3 websites |
| .info | 3 websites |
| .pl | 2 websites |
| .dk | 2 websites |
| .it | 2 websites |
| .co.uk | 1 websites |
| .com.br | 1 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redReferences
- https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9855/
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00055.html
Websites affected by CVE-2019-9855
Top websites that are affected by CVE-2019-9855. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***********.de | Germany | ***,*** | |
| *************.com | United States | *,***,*** | |
| ********.dk | Denmark | *,***,*** | |
| ********.com | United States | **,***,*** | |
| ********************.de | Germany | **,***,*** | |
| *******.de | Germany | **,***,*** | |
| *****.org | Germany | **,***,*** | |
| ***********.**.uk | GB | **,***,*** | |
| ***********************.com | France | **,***,*** | |
| ***.*******************.de | Germany | **,***,*** |