LibreOffice documents can contain macros. The execution of those macros is controlled by the document security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in how the urls to the macros within the document were processed and categorized, resulting in the possibility to construct a document where macro execution bypassed the security settings. The documents were correctly detected as containing macros, and prompted the user to their existence within the documents, but macros within the document were subsequently not controlled by the security settings allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7; LibreOffice 6.3 series versions prior to 6.3.1.

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - libreoffice: LibreLogo global-event script execution (CVE-2019-9851)

  - A vulnerability in OpenOffice's PPT file parser before 4.1.4, and specifically in PPTStyleSheet, allows     attackers to craft malicious documents that cause denial of service (memory corruption and application     crash) potentially resulting in arbitrary code execution. (CVE-2017-12607)

  - A vulnerability in Apache OpenOffice Writer DOC file parser before 4.1.4, and specifically in     ImportOldFormatStyles, allows attackers to craft malicious documents that cause denial of service (memory     corruption and application crash) potentially resulting in arbitrary code execution. (CVE-2017-12608)

  - LibreOffice before 2017-01-02 has an out-of-bounds write caused by a heap-based buffer overflow related to     the tools::Polygon::Insert function in tools/source/generic/poly.cxx. (CVE-2017-7870)

  - LibreOffice before 2017-03-17 has an out-of-bounds write caused by a heap-based buffer overflow related to     the ReadJPEG function in vcl/source/filter/jpeg/jpegc.cxx. (CVE-2017-8358)

  - sot/source/sdstor/stgstrms.cxx in LibreOffice before 5.4.5.1 and 6.x before 6.0.1.1 uses an incorrect     integer data type in the StgSmallStrm class, which allows remote attackers to cause a denial of service     (use-after-free with write access) or possibly have unspecified other impact via a crafted document that     uses the structured storage ole2 wrapper file format. (CVE-2018-10119)

  - The SwCTBWrapper::Read function in sw/source/filter/ww8/ww8toolbar.cxx in LibreOffice before 5.4.6.1 and     6.x before 6.0.2.1 does not validate a customizations index, which allows remote attackers to cause a     denial of service (heap-based buffer overflow with write access) or possibly have unspecified other impact     via a crafted document that contains a certain Microsoft Word record. (CVE-2018-10120)

  - An information disclosure vulnerability occurs when LibreOffice 6.0.3 and Apache OpenOffice Writer 4.1.5     automatically process and initiate an SMB connection embedded in a malicious file, as demonstrated by     xlink:href=file://192.168.0.2/test.jpg within an office:document-content element in a .odt XML document.
    (CVE-2018-10583)

  - It was found that libreoffice before versions 6.0.7 and 6.1.3 was vulnerable to a directory traversal     attack which could be used to execute arbitrary macros bundled with a document. An attacker could craft a     document, which when opened by LibreOffice, would execute a Python method from a script in any arbitrary     file system location, specified relative to the LibreOffice install location. (CVE-2018-16858)

  - LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on     various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a     programmable turtle vector graphics script, which can be manipulated into executing arbitrary python     commands. By using the document event feature to trigger LibreLogo to execute python contained within a     document a malicious document could be constructed which would execute arbitrary python commands silently     without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This     issue affects: Document Foundation LibreOffice versions prior to 6.2.5. (CVE-2019-9848)

  - LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to     retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to     disable LibreOffice's ability to include remote resources within a document. A flaw existed where bullet     graphics were omitted from this protection prior to version 6.2.5. This issue affects: Document Foundation     LibreOffice versions prior to 6.2.5. (CVE-2019-9849)

  - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can     execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a     feature where documents can specify that pre-installed scripts can be executed on various document script     events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo     from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed     malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This     issue affects: Document Foundation LibreOffice versions prior to 6.2.6. (CVE-2019-9850)

  - LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various     script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under     the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was     added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary     locations on the file system could be executed. However this new protection could be bypassed by a URL     encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded     before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
    (CVE-2019-9852)

  - LibreOffice documents can contain macros. The execution of those macros is controlled by the document     security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in     how the urls to the macros within the document were processed and categorized, resulting in the     possibility to construct a document where macro execution bypassed the security settings. The documents     were correctly detected as containing macros, and prompted the user to their existence within the     documents, but macros within the document were subsequently not controlled by the security settings     allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7;
    LibreOffice 6.3 series versions prior to 6.3.1. (CVE-2019-9853)

  - LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various     script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under     the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was     added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary     locations on the file system could be executed by employing a URL encoding attack to defeat the path     verification step. However this protection could be bypassed by taking advantage of a flaw in how     LibreOffice assembled the final script URL location directly from components of the passed in path as     opposed to solely from the sanitized output of the path verification step. This issue affects: Document     Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1. (CVE-2019-9854)

  - LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to     retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to     disable LibreOffice's ability to include remote resources within a document. A flaw existed where remote     graphic links loaded from docx documents were omitted from this protection prior to version 6.4.4. This     issue affects: The Document Foundation LibreOffice versions prior to 6.4.4. (CVE-2020-12802)

  - ODF documents can contain forms to be filled out by the user. Similar to HTML forms, the contained form     data can be submitted to a URI, for example, to an external web server. To create submittable forms, ODF     implements the XForms W3C standard, which allows data to be submitted without the need for macros or other     active scripting Prior to version 6.4.4 LibreOffice allowed forms to be submitted to any URI, including     file: URIs, enabling form submissions to overwrite local files. User-interaction is required to submit the     form, but to avoid the possibility of malicious documents engineered to maximize the possibility of     inadvertent user submission this feature has now been limited to http[s] URIs, removing the possibility to     overwrite local files. This issue affects: The Document Foundation LibreOffice versions prior to 6.4.4.
    (CVE-2020-12803)

  - LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual     aids that no alteration of the document occurred since the last signing and that the signature is valid.
    An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally     signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the     document to combine multiple certificate data, which when opened caused LibreOffice to display a validly     signed indicator but whose content was unrelated to the signature shown. This issue affects: The Document     Foundation LibreOffice 7-0 versions prior to 7.0.6; 7-1 versions prior to 7.1.2. (CVE-2021-25633)

  - LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual     aids that no alteration of the document occurred since the last signing and that the signature is valid.
    An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to modify a digitally     signed ODF document to insert an additional signing time timestamp which LibreOffice would incorrectly     present as a valid signature signed at the bogus signing time. This issue affects: The Document Foundation     LibreOffice 7-0 versions prior to 7.0.6; 7-1 versions prior to 7.1.2. (CVE-2021-25634)

  - libreoffice: Content Manipulation with Certificate Validation Attack (CVE-2021-25635)

  - LibreOffice supports digital signatures of ODF documents and macros within documents, presenting visual     aids that no alteration of the document occurred since the last signing and that the signature is valid.
    An Improper Certificate Validation vulnerability in LibreOffice allowed an attacker to create a digitally     signed ODF document, by manipulating the documentsignatures.xml or macrosignatures.xml stream within the     document to contain both X509Data and KeyValue children of the KeyInfo tag, which when opened caused     LibreOffice to verify using the KeyValue but to report verification with the unrelated X509Data value.
    This issue affects: The Document Foundation LibreOffice 7.2 versions prior to 7.2.5. (CVE-2021-25636)

  - Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path.
    This may lead to run arbitrary Java code from the current directory. (CVE-2022-38745)

  - Improper Validation of Array Index vulnerability in the spreadsheet component of The Document Foundation     LibreOffice allows an attacker to craft a spreadsheet document that will cause an array index underflow     when loaded. In the affected versions of LibreOffice certain malformed spreadsheet formulas, such as     AGGREGATE, could be created with less parameters passed to the formula interpreter than it expected,     leading to an array index underflow, in which case there is a risk that arbitrary code could be executed.
    This issue affects: The Document Foundation LibreOffice 7.4 versions prior to 7.4.6; 7.5 versions prior to     7.5.1. (CVE-2023-0950)

  - A flaw was found in the Libreoffice package. An attacker can craft an odb containing a database/script     file with a SCRIPT command where the contents of the file could be written to a new file whose location     was determined by the attacker. (CVE-2023-1183)

  - Improper access control in editor components of The Document Foundation LibreOffice allowed an attacker to     craft a document that would cause external links to be loaded without prompt. In the affected versions of     LibreOffice documents that used floating frames linked to external files, would load the contents of     those frames without prompting the user for permission to do so. This was inconsistent with the treatment     of other linked content in LibreOffice. This issue affects: The Document Foundation LibreOffice 7.4     versions prior to 7.4.7; 7.5 versions prior to 7.5.3. (CVE-2023-2255)

  - Improper Input Validation vulnerability in GStreamer integration of The Document Foundation LibreOffice     allows an attacker to execute arbitrary GStreamer plugins. In affected versions the filename of the     embedded video is not sufficiently escaped when passed to GStreamer enabling an attacker to run arbitrary     gstreamer plugins depending on what plugins are installed on the target system. (CVE-2023-6185)

  - Insufficient macro permission validation of The Document Foundation LibreOffice allows an attacker to     execute built-in macros without warning. In affected versions LibreOffice supports hyperlinks with macro     or similar built-in command targets that can be executed when activated without warning the user.
    (CVE-2023-6186)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The version of libreoffice installed on the remote host is prior to 5.3.6.1-21. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2LIBREOFFICE-2023-002 advisory.

  - LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on     various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a     programmable turtle vector graphics script, which can be manipulated into executing arbitrary python     commands. By using the document event feature to trigger LibreLogo to execute python contained within a     document a malicious document could be constructed which would execute arbitrary python commands silently     without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This     issue affects: Document Foundation LibreOffice versions prior to 6.2.5. (CVE-2019-9848)

  - LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to     retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to     disable LibreOffice's ability to include remote resources within a document. A flaw existed where bullet     graphics were omitted from this protection prior to version 6.2.5. This issue affects: Document Foundation     LibreOffice versions prior to 6.2.5. (CVE-2019-9849)

  - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can     execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a     feature where documents can specify that pre-installed scripts can be executed on various document script     events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo     from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed     malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This     issue affects: Document Foundation LibreOffice versions prior to 6.2.6. (CVE-2019-9850)

  - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can     execute arbitrary python commands contained with the document it is launched from. Protection was added,     to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over.
    However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can     be executed on various global script events such as document-open, etc. In the fixed versions, global     script event handlers are validated equivalently to document script event handlers. This issue affects:
    Document Foundation LibreOffice versions prior to 6.2.6. (CVE-2019-9851)

  - LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various     script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under     the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was     added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary     locations on the file system could be executed. However this new protection could be bypassed by a URL     encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded     before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
    (CVE-2019-9852)

  - LibreOffice documents can contain macros. The execution of those macros is controlled by the document     security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in     how the urls to the macros within the document were processed and categorized, resulting in the     possibility to construct a document where macro execution bypassed the security settings. The documents     were correctly detected as containing macros, and prompted the user to their existence within the     documents, but macros within the document were subsequently not controlled by the security settings     allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7;
    LibreOffice 6.3 series versions prior to 6.3.1. (CVE-2019-9853)

  - LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various     script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under     the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was     added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary     locations on the file system could be executed by employing a URL encoding attack to defeat the path     verification step. However this protection could be bypassed by taking advantage of a flaw in how     LibreOffice assembled the final script URL location directly from components of the passed in path as     opposed to solely from the sanitized output of the path verification step. This issue affects: Document     Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1. (CVE-2019-9854)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-1151 advisory.

  - LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to     retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to     disable LibreOffice's ability to include remote resources within a document. A flaw existed where bullet     graphics were omitted from this protection prior to version 6.2.5. This issue affects: Document Foundation     LibreOffice versions prior to 6.2.5. (CVE-2019-9849)

  - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can     execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a     feature where documents can specify that pre-installed scripts can be executed on various document script     events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo     from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed     malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This     issue affects: Document Foundation LibreOffice versions prior to 6.2.6. (CVE-2019-9850)

  - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can     execute arbitrary python commands contained with the document it is launched from. Protection was added,     to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over.
    However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can     be executed on various global script events such as document-open, etc. In the fixed versions, global     script event handlers are validated equivalently to document script event handlers. This issue affects:
    Document Foundation LibreOffice versions prior to 6.2.6. (CVE-2019-9851)

  - LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various     script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under     the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was     added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary     locations on the file system could be executed by employing a URL encoding attack to defeat the path     verification step. However this protection could be bypassed by taking advantage of a flaw in how     LibreOffice assembled the final script URL location directly from components of the passed in path as     opposed to solely from the sanitized output of the path verification step. This issue affects: Document     Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1. (CVE-2019-9854)

  - LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on     various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a     programmable turtle vector graphics script, which can be manipulated into executing arbitrary python     commands. By using the document event feature to trigger LibreLogo to execute python contained within a     document a malicious document could be constructed which would execute arbitrary python commands silently     without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This     issue affects: Document Foundation LibreOffice versions prior to 6.2.5. (CVE-2019-9848)

  - LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various     script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under     the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was     added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary     locations on the file system could be executed. However this new protection could be bypassed by a URL     encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded     before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
    (CVE-2019-9852)

  - LibreOffice documents can contain macros. The execution of those macros is controlled by the document     security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in     how the urls to the macros within the document were processed and categorized, resulting in the     possibility to construct a document where macro execution bypassed the security settings. The documents     were correctly detected as containing macros, and prompted the user to their existence within the     documents, but macros within the document were subsequently not controlled by the security settings     allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7;
    LibreOffice 6.3 series versions prior to 6.3.1. (CVE-2019-9853)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-1598 advisory.

  - LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to     retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to     disable LibreOffice's ability to include remote resources within a document. A flaw existed where bullet     graphics were omitted from this protection prior to version 6.2.5. This issue affects: Document Foundation     LibreOffice versions prior to 6.2.5. (CVE-2019-9849)

  - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can     execute arbitrary python commands contained with the document it is launched from. LibreOffice also has a     feature where documents can specify that pre-installed scripts can be executed on various document script     events such as mouse-over, etc. Protection was added, to address CVE-2019-9848, to block calling LibreLogo     from script event handers. However an insufficient url validation vulnerability in LibreOffice allowed     malicious to bypass that protection and again trigger calling LibreLogo from script event handlers. This     issue affects: Document Foundation LibreOffice versions prior to 6.2.6. (CVE-2019-9850)

  - LibreOffice is typically bundled with LibreLogo, a programmable turtle vector graphics script, which can     execute arbitrary python commands contained with the document it is launched from. Protection was added,     to address CVE-2019-9848, to block calling LibreLogo from document event script handers, e.g. mouse over.
    However LibreOffice also has a separate feature where documents can specify that pre-installed scripts can     be executed on various global script events such as document-open, etc. In the fixed versions, global     script event handlers are validated equivalently to document script event handlers. This issue affects:
    Document Foundation LibreOffice versions prior to 6.2.6. (CVE-2019-9851)

  - LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various     script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under     the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was     added, to address CVE-2019-9852, to avoid a directory traversal attack where scripts in arbitrary     locations on the file system could be executed by employing a URL encoding attack to defeat the path     verification step. However this protection could be bypassed by taking advantage of a flaw in how     LibreOffice assembled the final script URL location directly from components of the passed in path as     opposed to solely from the sanitized output of the path verification step. This issue affects: Document     Foundation LibreOffice 6.2 versions prior to 6.2.7; 6.3 versions prior to 6.3.1. (CVE-2019-9854)

  - LibreOffice has a feature where documents can specify that pre-installed macros can be executed on various     script events such as mouse-over, document-open etc. Access is intended to be restricted to scripts under     the share/Scripts/python, user/Scripts/python sub-directories of the LibreOffice install. Protection was     added, to address CVE-2018-16858, to avoid a directory traversal attack where scripts in arbitrary     locations on the file system could be executed. However this new protection could be bypassed by a URL     encoding attack. In the fixed versions, the parsed url describing the script location is correctly encoded     before further processing. This issue affects: Document Foundation LibreOffice versions prior to 6.2.6.
    (CVE-2019-9852)

  - LibreOffice documents can contain macros. The execution of those macros is controlled by the document     security settings, typically execution of macros are blocked by default. A URL decoding flaw existed in     how the urls to the macros within the document were processed and categorized, resulting in the     possibility to construct a document where macro execution bypassed the security settings. The documents     were correctly detected as containing macros, and prompted the user to their existence within the     documents, but macros within the document were subsequently not controlled by the security settings     allowing arbitrary macro execution This issue affects: LibreOffice 6.2 series versions prior to 6.2.7;
    LibreOffice 6.3 series versions prior to 6.3.1. (CVE-2019-9853)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:1598 advisory.

  - libreoffice: Remote resources protection module not applied to bullet graphics (CVE-2019-9849)

  - libreoffice: Insufficient URL validation allowing LibreLogo script execution (CVE-2019-9850)

  - libreoffice: LibreLogo global-event script execution (CVE-2019-9851)

  - libreoffice: Insufficient URL encoding flaw in allowed script location check (CVE-2019-9852)

  - libreoffice: Insufficient URL decoding flaw in categorizing macro location (CVE-2019-9853)

  - libreoffice: Unsafe URL assembly flaw in allowed script location check (CVE-2019-9854)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1598 advisory.

  - libreoffice: Remote resources protection module not applied to bullet graphics (CVE-2019-9849)

  - libreoffice: Insufficient URL validation allowing LibreLogo script execution (CVE-2019-9850)

  - libreoffice: LibreLogo global-event script execution (CVE-2019-9851)

  - libreoffice: Insufficient URL encoding flaw in allowed script location check (CVE-2019-9852)

  - libreoffice: Insufficient URL decoding flaw in categorizing macro location (CVE-2019-9853)

  - libreoffice: Unsafe URL assembly flaw in allowed script location check (CVE-2019-9854)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

* libreoffice: LibreLogo script can be manipulated into executing arbitrary python commands * libreoffice: Insufficient URL validation allowing LibreLogo script execution * libreoffice: LibreLogo global-event script execution * libreoffice: Insufficient URL encoding flaw in allowed script location check * libreoffice: Insufficient URL decoding flaw in categorizing macro location * libreoffice: Unsafe URL assembly flaw in allowed script location check * libreoffice: Remote resources protection module not applied to bullet graphics

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1151 advisory.

  - libreoffice: LibreLogo script can be manipulated into     executing arbitrary python commands (CVE-2019-9848)

  - libreoffice: Remote resources protection module not     applied to bullet graphics (CVE-2019-9849)

  - libreoffice: Insufficient URL validation allowing     LibreLogo script execution (CVE-2019-9850)

  - libreoffice: LibreLogo global-event script execution     (CVE-2019-9851)

  - libreoffice: Insufficient URL encoding flaw in allowed     script location check (CVE-2019-9852)

  - libreoffice: Insufficient URL decoding flaw in     categorizing macro location (CVE-2019-9853)

  - libreoffice: Unsafe URL assembly flaw in allowed script     location check (CVE-2019-9854)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1151 advisory.

  - libreoffice: LibreLogo script can be manipulated into executing arbitrary python commands (CVE-2019-9848)

  - libreoffice: Remote resources protection module not applied to bullet graphics (CVE-2019-9849)

  - libreoffice: Insufficient URL validation allowing LibreLogo script execution (CVE-2019-9850)

  - libreoffice: LibreLogo global-event script execution (CVE-2019-9851)

  - libreoffice: Insufficient URL encoding flaw in allowed script location check (CVE-2019-9852)

  - libreoffice: Insufficient URL decoding flaw in categorizing macro location (CVE-2019-9853)

  - libreoffice: Unsafe URL assembly flaw in allowed script location check (CVE-2019-9854)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update libreoffice and libraries fixes the following issues :

LibreOffice was updated to 6.3.3 (jsc#SLE-8705), bringing many bug and stability fixes.

More information for the 6.3 release at:
https://wiki.documentfoundation.org/ReleaseNotes/6.3

Security issue fixed :

CVE-2019-9853: Fixed an issue where by executing macros, the security settings could have been bypassed (bsc#1152684).

Other issues addressed :

Dropped disable-kde4 switch, since it is no longer known by configure

Disabled gtk2 because it will be removed in future releases

librelogo is now a standalone sub-package (bsc#1144522).

Partial fixes for an issue where Table(s) from DOCX showed wrong position or color (bsc#1061210).

cmis-client was updated to 0.5.2 :

  - Removed header for Uuid's sha1 header(bsc#1105173).

  - Fixed Google Drive login

  - Added support for Google Drive two-factor authentication

  - Fixed access to SharePoint root folder

  - Limited the maximal number of redirections to 20

  - Switched library implementation to C++11 (the API     remains C++98-compatible)

  - Fixed encoding of OAuth2 credentials

  - Dropped cppcheck run from 'make check'. A new 'make     cppcheck' target was created for it

  - Added proper API symbol exporting

  - Speeded up building of tests a bit

  - Fixed a few issues found by coverity and cppcheck

libixion was updated to 0.15.0 :

  - Updated for new liborcus

  - Switched to spdlog for compile-time debug log outputs

  - Fixed various issues

libmwaw was updated 0.3.15 :

  - Fixed fuzzing issues

liborcus was updated to 0.15.3 :

  - Fixed various xml related bugs

  - Improved performance

  - Fixed multiple parser issues

  - Added map and structure mode to orcus-json

  - Other improvements and fixes

mdds was updated to 1.5.0 :

  - API changed to 1.5

  - Moved the API incompatibility notes from README to the     rst doc.

  - Added the overview section for flat_segment_tree.

myspell-dictionaries was updated to 20191016 :

  - Updated Slovenian thesaurus

  - Updated the da_DK dictionary

  - Removed the abbreviations from Thai hunspell dictionary

  - Updated the English dictionaries

  - Fixed the logo management for 'ca'

spdlog was updated to 0.16.3 :

  - Fixed sleep issue under MSVC that happens when changing     the clock backwards

  - Ensured that macros always expand to expressions

  - Added global flush_on function

bluez changes :

  - lib: Changed bluetooth.h to compile in strict C

gperf was updated to 3.1 :

  - The generated C code is now in ANSI-C by default.

  - Added option --constants-prefix.

  - Added declaration %define constants-prefix.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version, the LibreOffice application running on the remote host is prior to 6.2.6.
It is, therefore, affected by a flaw in how LibreOffice sanitizes user supplied input when decoding URL encoded characters in the macro location. This can result in macros within a document to be executed without the users knowledge.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update libreoffice to version 6.3.3 fixes the following issues :

LibreOffice was updated to 6.3.3 (jsc#SLE-8705), bringing many bug and stability fixes.

More information for the 6.3 release at:
https://wiki.documentfoundation.org/ReleaseNotes/6.3

Security issue fixed :

CVE-2019-9853: Fixed an issue where by executing macros, the security settings could have been bypassed (bsc#1152684).

Other issues addressed :

Dropped disable-kde4 switch, since it is no longer known by configure

Disabled gtk2 because it will be removed in future releases

librelogo is now a standalone sub-package (bsc#1144522).

Partial fixes for an issue where Table(s) from DOCX showed wrong position or color (bsc#1061210).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update libreoffice and libraries fixes the following issues :

LibreOffice was updated to 6.3.3 (jsc#SLE-8705), bringing many bug and stability fixes.

More information for the 6.3 release at:
https://wiki.documentfoundation.org/ReleaseNotes/6.3

Security issue fixed :

  - CVE-2019-9853: Fixed an issue where by executing macros,     the security settings could have been bypassed     (bsc#1152684).

Other issues addressed :

  - Dropped disable-kde4 switch, since it is no longer known     by configure

  - Disabled gtk2 because it will be removed in future     releases 

  - librelogo is now a standalone sub-package (bsc#1144522).

  - Partial fixes for an issue where Table(s) from DOCX     showed wrong position or color (bsc#1061210).

cmis-client was updated to 0.5.2 :

  - Removed header for Uuid's sha1 header(bsc#1105173).

  - Fixed Google Drive login

  - Added support for Google Drive two-factor authentication

  - Fixed access to SharePoint root folder 

  - Limited the maximal number of redirections to 20 

  - Switched library implementation to C++11 (the API     remains C++98-compatible)

  - Fixed encoding of OAuth2 credentials

  - Dropped cppcheck run from 'make check'. A new 'make     cppcheck' target was created for it

  - Added proper API symbol exporting

  - Speeded up building of tests a bit

  - Fixed a few issues found by coverity and cppcheck

libixion was updated to 0.15.0 :

  - Updated for new liborcus

  - Switched to spdlog for compile-time debug log outputs

  - Fixed various issues

libmwaw was updated 0.3.15 :

  - Fixed fuzzing issues 

liborcus was updated to 0.15.3 :

  - Fixed various xml related bugs

  - Improved performance

  - Fixed multiple parser issues 

  - Added map and structure mode to orcus-json

  - Other improvements and fixes

mdds was updated to 1.5.0 :

  - API changed to 1.5

  - Moved the API incompatibility notes from README to the     rst doc.

  - Added the overview section for flat_segment_tree.

myspell-dictionaries was updated to 20191016 :

  - Updated Slovenian thesaurus

  - Updated the da_DK dictionary

  - Removed the abbreviations from Thai hunspell dictionary

  - Updated the English dictionaries

  - Fixed the logo management for 'ca'

spdlog was updated to 0.16.3 :

  - Fixed sleep issue under MSVC that happens when changing     the clock backwards 

  - Ensured that macros always expand to expressions 

  - Added global flush_on function This update was imported     from the SUSE:SLE-15:Update update project.

This update libreoffice and libraries fixes the following issues :

LibreOffice was updated to 6.3.3 (jsc#SLE-8705), bringing many bug and stability fixes.

More information for the 6.3 release at:
https://wiki.documentfoundation.org/ReleaseNotes/6.3

Security issue fixed :

CVE-2019-9853: Fixed an issue where by executing macros, the security settings could have been bypassed (bsc#1152684).

Other issues addressed: Dropped disable-kde4 switch, since it is no longer known by configure

Disabled gtk2 because it will be removed in future releases

librelogo is now a standalone sub-package (bsc#1144522).

Partial fixes for an issue where Table(s) from DOCX showed wrong position or color (bsc#1061210).

cmis-client was updated to 0.5.2 :

  - Removed header for Uuid's sha1 header(bsc#1105173).

  - Fixed Google Drive login

  - Added support for Google Drive two-factor authentication

  - Fixed access to SharePoint root folder

  - Limited the maximal number of redirections to 20

  - Switched library implementation to C++11 (the API     remains C++98-compatible)

  - Fixed encoding of OAuth2 credentials

  - Dropped cppcheck run from 'make check'. A new 'make     cppcheck' target was created for it

  - Added proper API symbol exporting

  - Speeded up building of tests a bit

  - Fixed a few issues found by coverity and cppcheck

libixion was updated to 0.15.0 :

  - Updated for new liborcus

  - Switched to spdlog for compile-time debug log outputs

  - Fixed various issues

libmwaw was updated 0.3.15 :

  - Fixed fuzzing issues

liborcus was updated to 0.15.3 :

  - Fixed various xml related bugs

  - Improved performance

  - Fixed multiple parser issues

  - Added map and structure mode to orcus-json

  - Other improvements and fixes

mdds was updated to 1.5.0 :

  - API changed to 1.5

  - Moved the API incompatibility notes from README to the     rst doc.

  - Added the overview section for flat_segment_tree.

myspell-dictionaries was updated to 20191016 :

  - Updated Slovenian thesaurus

  - Updated the da_DK dictionary

  - Removed the abbreviations from Thai hunspell dictionary

  - Updated the English dictionaries

  - Fixed the logo management for 'ca'

spdlog was updated to 0.16.3 :

  - Fixed sleep issue under MSVC that happens when changing     the clock backwards

  - Ensured that macros always expand to expressions

  - Added global flush_on function

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- CVE-2019-9853

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were discovered in LibreOffice, the office productivity suite.

CVE-2019-9848

Nils Emmerich discovered that malicious documents could execute arbitrary Python code via LibreLogo.

CVE-2019-9849

Matei Badanoiu discovered that the stealth mode did not apply to bullet graphics.

CVE-2019-9850

It was discovered that the protections implemented in CVE-2019-9848 could be bypassed because of insufficient URL validation.

CVE-2019-9851

Gabriel Masei discovered that malicious documents could execute arbitrary pre-installed scripts.

CVE-2019-9852

Nils Emmerich discovered that the protection implemented to address CVE-2018-16858 could be bypassed by a URL encoding attack.

CVE-2019-9853

Nils Emmerich discovered that malicious documents could bypass document security settings to execute macros contained within the document.

CVE-2019-9854

It was discovered that the protection implemented to address CVE-2019-9852 could be bypassed because of insufficient input sanitization.

For Debian 8 'Jessie', these problems have been fixed in version 1:4.3.3-2+deb8u13.

We recommend that you upgrade your libreoffice packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
196590	RHEL 6 : libreoffice (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
182035	Amazon Linux 2 : libreoffice (ALASLIBREOFFICE-2023-002)	Nessus	Amazon Linux Local Security Checks	critical
180730	Oracle Linux 7 : libreoffice (ELSA-2020-1151)	Nessus	Oracle Linux Local Security Checks	critical
180688	Oracle Linux 8 : libreoffice (ELSA-2020-1598)	Nessus	Oracle Linux Local Security Checks	critical
146000	CentOS 8 : libreoffice (CESA-2020:1598)	Nessus	CentOS Local Security Checks	critical
143042	RHEL 8 : libreoffice (RHSA-2020:1598)	Nessus	Red Hat Local Security Checks	critical
135817	Scientific Linux Security Update : libreoffice on SL7.x x86_64 (20200407)	Nessus	Scientific Linux Local Security Checks	critical
135347	CentOS 7 : libreoffice (CESA-2020:1151)	Nessus	CentOS Local Security Checks	critical
135068	RHEL 7 : libreoffice (RHSA-2020:1151)	Nessus	Red Hat Local Security Checks	critical
133601	SUSE SLES12 Security Update : LibreOffice (SUSE-SU-2020:0372-1)	Nessus	SuSE Local Security Checks	high
133471	LibreOffice 6.2.6 / 6.3.1 Security Control Bypass (Windows)	Nessus	Windows	high
133134	SUSE SLED15 / SLES15 Security Update : LibreOffice (SUSE-SU-2020:0121-1)	Nessus	SuSE Local Security Checks	high
132515	openSUSE Security Update : LibreOffice (openSUSE-2019-2709)	Nessus	SuSE Local Security Checks	high
132094	SUSE SLED15 / SLES15 Security Update : LibreOffice (SUSE-SU-2019:3313-1)	Nessus	SuSE Local Security Checks	high
129736	Fedora 29 : 1:libreoffice (2019-4b0cc75996)	Nessus	Fedora Local Security Checks	high
129595	Debian DLA-1947-1 : libreoffice security update	Nessus	Debian Local Security Checks	critical

Detections

Analytics

CVE-2019-9853

high

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical

high

high

high

high

high

high

critical