CVE-2018-16858 Directory Traversal Vulnerability in Script Execution

LibreOffice is a free and open-source office suite that includes applications for word processing, the creation and editing of spreadsheets, slideshows, diagrams, drawings, and databases. Prior to versions 6.0.7 and 6.1.3, LibreOffice is vulnerable to a directory traversal attack.

LibreOffice has a feature where pre-installed macros can be executed on various document events such as mouse-over, etc. Prior to versions 6.0.7 and 6.1.3, LibreOffice is vulnerable to a directory traversal attack. The flaw makes it possible to craft a document which, when opened by LibreOffice, could execute a python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location.

Typically LibreOffice is bundled with python, so an attacker has a set of known scripts at a known relative file system location to work with. The bundled python provides a simple route to execute arbitrary commands via a crafted document. In the fixed versions, the relative directory flaw is fixed, and access is restricted to scripts.

Lansweeper can tell you in no time which devices have a vulnerable LibreOffice version in place and need to be patched. Simply run our custom report and get cracking.

Source: https://www.libreoffice.org/about-us/security/advisories/cve-2018-16858/