Plugins Database As of 11-22-2019

TortoiseSVN <= 1.12.1 Remote Code Execution (RCE) Vulnerability

General
Impact by CVSS Score
  • ID: 1.3.6.1.4.1.25623.1.0.107701

CVSS Base Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C

Summary:
This host is installed with TortoiseSVN and is prone to a remote code-execution vulnerability.

Impact:
Successful exploitation could allow remote attackers to execute arbitrary code to compromise the target system.

Affected Versions:
TortoiseSVN through version 1.12.1.

Technical Details:
These vulnerabilities exist: - The URI handler of TortoiseSVN (Tsvncmd:) allows a customised diff operation on Excel workbooks, which could be used to open remote workbooks without protection from macro security settings. - The `tsvncmd:command:diff?path:[file1]?path2:[file2]` will execute a customised diff on [file1] and [file2] based on the file extension. For xls files, it will execute the script `diff-xls.js` using wscript, which will open the two files for analysis without any macro security warning.

Recommendations:
Update to TortoiseSVN version 1.12.2 or later.

Detection Type:
Windows Registry

Solution Type:
Vendor Patch

Search
Severity
High
CVSS Score
10.0
Published
2019-08-28 15:43:37
Modified
2019-08-30 09:47:09
CVE
CVE-2019-14422

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.