Pingfanzettake

**Name of the Vulnerable Software and Affected Versions** TortoiseSVN version 1.12.1 **Description** An issue in the Tsvncmd: URI handler allows for a customized diff operation on Excel workbooks, potentially executing arbitrary code. The `tsvncmd:command:diff?path:[file1]?path2:[file2]` URI executes a customized diff on `[file1]` and `[file2]` based on the file extension. For `.xls` files, it executes the `diff-xls.js` script using `wscript`, opening the files without macro security warnings. An attacker can exploit this by placing a macro virus in a network drive and forcing the victim to open the workbooks, executing the macro inside. **Recommendations** For TortoiseSVN version 1.12.1, consider disabling the `tsvncmd:` URI handler or restricting its use to minimize the risk of exploitation until a patch is available. Avoid using the `diff-xls.js` script for analyzing `.xls` files until the issue is resolved. As a temporary workaround, restrict access to network drives that may contain malicious files to prevent the execution of macro viruses.