CVE-2019-14422

NONE EPSS 96.6%
Published Aug 15, 20196y ago · Modified Jun 17, 20262w ago
Find Similar
Published Aug 15, 2019 6y ago
Last Modified Jun 17, 2026 2w ago

Description

An issue was discovered in in TortoiseSVN 1.12.1. The Tsvncmd: URI handler allows a customised diff operation on Excel workbooks, which could be used to open remote workbooks without protection from macro security settings to execute arbitrary code. A tsvncmd:command:diff?path:[file1]?path2:[file2] URI will execute a customised diff on [file1] and [file2] based on the file extension. For xls files, it will execute the script diff-xls.js using wscript, which will open the two files for analysis without any macro security warning. An attacker can exploit this by putting a macro virus in a network drive, and force the victim to open the workbooks and execute the macro inside.

Threat Intelligence

EPSS Exploit Probability
96.6% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Affected Products 1

VendorProductVersionRange
tortoisesvntortoisesvn1.12.1any

References 2

  • seclists.org http://seclists.org/fulldisclosure/2019/Aug/7
    ExploitMailing ListThird Party Advisory
  • vulnerability-lab.com https://www.vulnerability-lab.com/get_content.php?id=2188
    ExploitThird Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.