cbcvebase.
CVE-2019-14422
published 2019-08-15

CVE-2019-14422: An issue was discovered in in TortoiseSVN 1.12.1. The Tsvncmd: URI handler allows a customised diff operation on Excel workbooks, which could be used to open…

PriorityP266high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
16.39%
96.6th percentile
An issue was discovered in in TortoiseSVN 1.12.1. The Tsvncmd: URI handler allows a customised diff operation on Excel workbooks, which could be used to open remote workbooks without protection from macro security settings to execute arbitrary code. A tsvncmd:command:diff?path:[file1]?path2:[file2] URI will execute a customised diff on [file1] and [file2] based on the file extension. For xls files, it will execute the script diff-xls.js using wscript, which will open the two files for analysis without any macro security warning. An attacker can exploit this by putting a macro virus in a network drive, and force the victim to open the workbooks and execute the macro inside.

Affected

1 ranges
VendorProductVersion rangeFixed in
tortoisesvntortoisesvn

Detection & IOCsextracted from sources · hover to see the quote

filenamediff-xls.js
commandtsvncmd:command:diff?path:[file1]?path2:[file2]
processwscript
  • Monitor for wscript.exe spawning diff-xls.js, particularly when invoked via the Tsvncmd: URI handler, as this indicates exploitation of the TortoiseSVN diff handler to open Excel workbooks without macro security.
  • Detect tsvncmd: URI scheme usage in browser or .url files, especially with 'command:diff' and UNC/network paths (e.g., \\<remote_host>\...) as path parameters, which may indicate an attacker-controlled network drive being referenced.
  • Alert on wscript.exe being killed shortly after spawning, as the attacker technique involves terminating wscript and quitting Excel post-execution to reduce visibility.
  • Monitor Excel (EXCEL.EXE) being launched as a child process of wscript.exe opening .xlsm files from remote network shares, which is anomalous and indicative of this exploit chain.
  • ·The exploit bypasses Excel macro security warnings entirely when files are opened via wscript/diff-xls.js; standard macro security settings do NOT protect against this attack vector.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.