CVE-2019-14422
Description
An issue was discovered in in TortoiseSVN 1.12.1. The Tsvncmd: URI handler allows a customised diff operation on Excel workbooks, which could be used to open remote workbooks without protection from macro security settings to execute arbitrary code. A tsvncmd:command:diff?path:[file1]?path2:[file2] URI will execute a customised diff on [file1] and [file2] based on the file extension. For xls files, it will execute the script diff-xls.js using wscript, which will open the two files for analysis without any macro security warning. An attacker can exploit this by putting a macro virus in a network drive, and force the victim to open the workbooks and execute the macro inside.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- TortoiseSVN/TortoiseSVNdescription
- Range: =1.12.1
Patches
Vulnerability mechanics
References
2- seclists.org/fulldisclosure/2019/Aug/7mitremailing-listx_refsource_FULLDISC
- www.vulnerability-lab.com/get_content.phpmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.