How severe is CVE-2019-9852?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.8 out of 10.

What type of vulnerability is CVE-2019-9852?

This is classified as CWE-116, which is a common weakness in software security.

CVE-2019-9852 - HIGH Severity | CVSS 7.8

Vulnerability Description

LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed. However this new protection could be bypassed by a URL encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.

Related Vulnerabilities

CVE-2016-2568

HIGH

CVSS:7.8(High)

pkexec, when used with --user nonpriv, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

CWE-1162016

CVE-2019-9853

HIGH

CVSS:7.8(High)

LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw exist...

CWE-1162019

CVE-2020-16281

HIGH

CVSS:7.8(High)

The Kommbox component in Rangee GmbH RangeeOS 8.0.4 could allow a local authenticated attacker to escape from the restricted environment and execute arbitrary code due to unrestricted context menus be...

CWE-1162020

CVE-2022-41322

HIGH

CVSS:7.8(High)

In Kitty before 0.26.2, insufficient validation in the desktop notification escape sequence can lead to arbitrary code execution. The user must display attacker-controlled content in the terminal, the...

CWE-1162022

CVE-2022-48339

HIGH

CVSS:7.8(High)

An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has a command injection vulnerability. In the hfy-istext-command function, the parameter file and parameter srcdir come from external ...

CWE-1162022

CVE-2023-26279

HIGH

CVSS:7.8(High)

IBM QRadar WinCollect Agent 10.0 through 10.1.7 could allow a local user to perform unauthorized actions due to improper encoding. IBM X-Force ID: 248160.

CWE-1162023