tl;dr; Upgrade to >= 6.2.6 or >= 6.0.0.

There is a cluster of issues here.


CVE-2019-9850 Insufficient url validation allowing LibreLogo script

There was a way to encode the script url that could bypass the fix of


CVE-2019-9851 LibreLogo global-event script execution

The fix of CVE-2019-9848 blocked execution of LibreLogo from document
script events, e.g. mouse-over, but there is another separate feature
of global script events, e.g. document-open which are also affected


CVE-2019-9852 Insufficient URL encoding flaw in allowed script location

There was a way to encode the script url to bypasses the fix of CVE-
2018-16858 to again allow scripts in arbitrary locations on the file
system to be executed

To unsubscribe e-mail to:
Posting guidelines + more:
List archive:
Privacy Policy:

Reply via email to