{"id":"CVE-2019-9855","details":"LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a feature where documents can specify that pre-installed scripts can be executed on various document script events such as mouse-over, etc. Protection was added to block calling LibreLogo from script event handers. However a Windows 8.3 path equivalence handling flaw left LibreOffice vulnerable under Windows that a document could trigger executing LibreLogo via a Windows filename pseudonym. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1.","modified":"2026-04-11T12:23:58.885719Z","published":"2019-09-06T19:15:12.073Z","related":["SUSE-SU-2019:2401-1","SUSE-SU-2019:2402-1","SUSE-SU-2019:2686-1","openSUSE-SU-2019:2183-1","openSUSE-SU-2019:2361-1","openSUSE-SU-2024:10983-1"],"database_specific":{"unresolved_ranges":[{"cpe":"cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"6.3.0"},{"fixed":"6.3.1"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"15.0"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"15.1"}],"source":"CPE_FIELD"}]},"references":[{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00067.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00055.html"},{"type":"ADVISORY","url":"https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9855/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libreoffice/core","events":[{"introduced":"0"},{"fixed":"a7004eb475ad8836d2e5c783805e32323b86cbe6"}],"database_specific":{"cpe":"cpe:2.3:a:libreoffice:libreoffice:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"6.2.0"},{"fixed":"6.2.7"}],"source":"CPE_FIELD"}}],"versions":["CODE-4.2.0-1","CODE-4.2.0-2","CODE-4.2.0-3","CODE-4.2.0-4","CP-Android-iOS-4.2.0","MELD_LIBREOFFICE_REPOS","co-6.2-1","co-6.2-2","cp-6.2-3","cp-6.2-4","cp-6.2-5","cp-6.2-branch-point","gpg4libre-review-5.4.99","libreoffice-3-5-branch-point","libreoffice-3-6-branch-point","libreoffice-3.5.0.0","libreoffice-4-0-branch-point","libreoffice-4-1-branch-point","libreoffice-4-2-branch-point","libreoffice-4-2-milestone-1","libreoffice-4-3-branch-point","libreoffice-4-4-branch-point","libreoffice-5-0-branch-point","libreoffice-5-1-branch-point","libreoffice-5-2-branch-point","libreoffice-5-3-branch-point","libreoffice-5-4-branch-point","libreoffice-6-0-branch-point","libreoffice-6-1-branch-point","libreoffice-6-2-branch-point","sdremote-2.0.0","windows_build_successful_2011_11_08"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-9855.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}