LibreOffice Remote Code Execution Flaw Discovered

CVE-2018-16858 Directory Traversal Vulnerability in Script Execution

LibreOffice is a free and open-source office suite that includes applications for word processing, the creation and editing of spreadsheets, slideshows, diagrams, drawings, and databases. Prior to versions 6.0.7 and 6.1.3, LibreOffice is vulnerable to a directory traversal attack.

LibreOffice has a feature where pre-installed macros can be executed on various document events such as mouse-over, etc. Prior to versions 6.0.7 and 6.1.3, LibreOffice is vulnerable to a directory traversal attack. The flaw makes it possible to craft a document which, when opened by LibreOffice, could execute a python method from a script in any arbitrary file system location, specified relative to the LibreOffice install location.

Typically LibreOffice is bundled with python, so an attacker has a set of known scripts at a known relative file system location to work with. The bundled python provides a simple route to execute arbitrary commands via a crafted document. In the fixed versions, the relative directory flaw is fixed, and access is restricted to scripts.

Lansweeper can tell you in no time which devices have a vulnerable LibreOffice version in place and need to be patched. Simply run our custom report and get cracking.

Receive the Latest Vulnerability Reports for FREE

  • This field is for validation purposes and should be left unchanged.

Source: https://www.libreoffice.org/about-us/security/advisories/cve-2018-16858/

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

You may also like...

Try Lansweeper for Free

Learn why Lansweeper is used by thousands of enterprises worldwide.‚Äč