CVE-2019-14422

Name of the Vulnerable Software and Affected Versions TortoiseSVN version 1.12.1

Description An issue in the Tsvncmd: URI handler allows for a customized diff operation on Excel workbooks, potentially executing arbitrary code. The tsvncmd:command:diff?path:[file1]?path2:[file2] URI executes a customized diff on [file1] and [file2] based on the file extension. For .xls files, it executes the diff-xls.js script using wscript, opening the files without macro security warnings. An attacker can exploit this by placing a macro virus in a network drive and forcing the victim to open the workbooks, executing the macro inside.

Recommendations For TortoiseSVN version 1.12.1, consider disabling the tsvncmd: URI handler or restricting its use to minimize the risk of exploitation until a patch is available. Avoid using the diff-xls.js script for analyzing .xls files until the issue is resolved. As a temporary workaround, restrict access to network drives that may contain malicious files to prevent the execution of macro viruses.