CVE-2019-9848 in LibreOffice
Summary
by MITRE
LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/21/2025
The vulnerability described in CVE-2019-9848 represents a sophisticated code execution flaw within LibreOffice that exploits the document event handling system to bypass security controls. This issue specifically targets the integration between LibreOffice's document event triggers and the bundled LibreLogo scripting component, creating an attack vector that allows for silent execution of arbitrary Python commands. The vulnerability exists because LibreOffice permitted document event handlers to invoke pre-installed scripts, including LibreLogo, which is a programmable turtle graphics system designed for vector graphics creation. When combined with the document event system that can trigger scripts on user interactions such as mouse-over events, this creates a dangerous combination that enables attackers to craft malicious documents capable of executing unauthorized code. The flaw stems from insufficient input validation and privilege separation between document content and system-level script execution capabilities.
The technical implementation of this vulnerability leverages the document event system's ability to execute scripts in response to user actions, combined with LibreLogo's Python-based execution engine. When a document containing malicious Python code is opened, the document event handler can trigger LibreLogo to execute this code, effectively bypassing normal security restrictions that would otherwise prevent arbitrary script execution. This represents a classic sandbox escape scenario where a user-controlled document gains access to system-level capabilities through legitimate software components. The vulnerability is particularly dangerous because it operates silently without user warnings or prompts, making detection extremely difficult for end users. The attack requires no user interaction beyond opening the malicious document, as the document event system automatically triggers the execution when the document is loaded or when specific user actions occur. This type of vulnerability aligns with CWE-787 (Out-of-bounds Write) and CWE-79 (Cross-site Scripting) categories, as it involves unauthorized code execution through legitimate software interfaces.
The operational impact of this vulnerability extends beyond simple code execution to encompass potential system compromise and data exfiltration capabilities. An attacker could construct documents that execute malicious Python code to establish backdoors, steal sensitive information, or perform other malicious activities on the victim's system. The silent execution nature means that users would have no indication that malicious code is running, making this a particularly insidious threat. The vulnerability affects versions prior to 6.2.5, indicating that organizations running older versions of LibreOffice are at significant risk. This issue particularly impacts enterprise environments where LibreOffice is widely used for document creation and collaboration, as a single malicious document could compromise multiple systems. The attack vector is particularly concerning in environments where users frequently open documents from untrusted sources, such as email attachments or web downloads. The vulnerability demonstrates the risks associated with complex software systems that integrate multiple scripting capabilities and event handling mechanisms without proper security boundaries.
The fix implemented by the Document Foundation addresses the root cause by preventing LibreLogo from being invoked through document event handlers, effectively breaking the attack chain. This solution represents a privilege separation approach that limits the scope of what document events can trigger, preventing the escalation from document-level execution to system-level code execution. The mitigation strategy aligns with ATT&CK technique T1059.006 (Python) and T1059.007 (JavaScript), which describe how attackers can leverage scripting languages to execute malicious code. Organizations should immediately update to LibreOffice 6.2.5 or later versions to remediate this vulnerability, as the fix fundamentally changes how document events interact with system scripts. Additionally, users should be educated about the risks of opening documents from untrusted sources, and organizations should implement content filtering mechanisms to detect potentially malicious documents. Security teams should monitor for indicators of compromise related to this vulnerability, particularly in environments where document sharing is common. The vulnerability highlights the importance of maintaining up-to-date software and the need for comprehensive security testing of integrated scripting systems within office productivity suites.