tl;dr; Upgrade to >= 6.2.6 or >= 6.0.0. There is a cluster of issues here. ---- CVE-2019-9850 Insufficient url validation allowing LibreLogo script execution There was a way to encode the script url that could bypass the fix of CVE-2019-9848 https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9850 ---- CVE-2019-9851 LibreLogo global-event script execution The fix of CVE-2019-9848 blocked execution of LibreLogo from document script events, e.g. mouse-over, but there is another separate feature of global script events, e.g. document-open which are also affected https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9851 ---- CVE-2019-9852 Insufficient URL encoding flaw in allowed script location check There was a way to encode the script url to bypasses the fix of CVE- 2018-16858 to again allow scripts in arbitrary locations on the file system to be executed https://www.libreoffice.org/about-us/security/advisories/CVE-2019-9852 -- To unsubscribe e-mail to: discuss+unsubscribe@documentfoundation.org Problems? https://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: https://wiki.documentfoundation.org/Netiquette List archive: https://listarchives.documentfoundation.org/www/discuss/ Privacy Policy: https://www.documentfoundation.org/privacy