By tricking victims into opening an ODT (OpenDocument Text) ﬁle embedding an event embedded, it is possible to launch a directory traversal attack executing a python method from a script in any arbitrary ﬁle system location. Exploiting CVE-2018-16858, it is possible to trigger the automatic execution of a speciﬁc python library included in the suite using a hidden onmouseover event. On further analysis, researchers found out that under certain circumstances it is not only possible to specify the function you want to call inside a python script, but passing parameters is also a possibility.
In the ﬁxed versions, access is restricted to scripts under the share/Scripts/python, user/Scripts/python sub-directories of the LibreOﬃce install.
Remote Code Execution
While LibreOﬃce has been ﬁxed with the release of LibreOﬃce 6.0.7/6.1.3, update to the ﬁxed versions. OpenOﬃce is still awaiting a ﬁx. Meanwhile, it is possible to remove or rename the pythonscript.py ﬁle in the installation folder to disable the support for python.