How severe is CVE-2019-9854?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.8 out of 10.

What type of vulnerability is CVE-2019-9854?

This is classified as CWE-22, which is a common weakness in software security.

CVE-2019-9854 - HIGH Severity | CVSS 7.8

Vulnerability Description

LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary locations on the file system could be executed by employing a URL encoding attack to defeat the path verification step. However this protection could be bypassed by taking advantage of a flaw in how LibreOffice assembled the final script URL location directly from components of the passed in path as opposed to solely from the sanitized output of the path verification step. This issue affects: Document Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1.

Related Vulnerabilities

CVE-2009-3721

HIGH

CVSS:7.8(High)

Multiple directory traversal and buffer overflow vulnerabilities were discovered in yTNEF, and in Evolution's TNEF parser that is derived from yTNEF. A crafted email could cause these applications to ...

CWE-222009

CVE-2015-0016

HIGH

CVSS:7.8(High)

Directory traversal vulnerability in the TS WebProxy (aka TSWbPrxy) component in Microsoft Windows Vista SP2, Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gol...

CWE-222015

CVE-2015-3151

HIGH

CVSS:7.8(High)

Directory traversal vulnerability in abrt-dbus in Automatic Bug Reporting Tool (ABRT) allows local users to read, write to, or change ownership of arbitrary files via unspecified vectors to the (1) Ne...

CWE-222015

CVE-2015-7270

HIGH

CVSS:7.8(High)

Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 and 7/8 before 2.21.21.21 allows directory traversal.

CWE-222015

CVE-2015-8535

HIGH

CVSS:7.8(High)

MITRE is populating this ID because it was assigned prior to Lenovo becoming a CNA. A directory traversal vulnerability was discovered (fixed and publicly disclosed in 2015) in Lenovo Solution Center ...

CWE-222015

CVE-2016-4313

HIGH

CVSS:7.8(High)

Directory traversal vulnerability in unzip/extract feature in eXtplorer 2.1.9 allows remote attackers to execute arbitrary files via a .. (dot dot) in an archive file.

CWE-222016