CVE-2020-13661
https://notcve.org/view.php?id=CVE-2020-13661
Telerik Fiddler through 5.0.20202.18177 allows attackers to execute arbitrary programs via a hostname with a trailing space character, followed by --utility-and-browser --utility-cmd-prefix= and the pathname of a locally installed program. The victim must interactively choose the Open On Browser option. Fixed in version 5.0.20204. Telerik Fiddler versiones hasta 5.0.20202.18177, permite a atacantes ejecutar programas arbitrarios por medio de un nombre de host con un carácter de espacio final, seguido de --utility-and-browser --utility-cmd-prefix= y el nombre de ruta de un programa instalado localmente. La víctima debe elegir interactivamente la opción Open On Browser. • https://www.nagenrauft-consulting.com/blog https://www.telerik.com/support/whats-new/fiddler/release-history/fiddler-v5.0.20204 https://www.telerik.com/support/whats-new/release-history •
CVE-2019-12097
https://notcve.org/view.php?id=CVE-2019-12097
Telerik Fiddler v5.0.20182.28034 doesn't verify the hash of EnableLoopback.exe before running it, which could lead to code execution or local privilege escalation by replacing the original EnableLoopback.exe. Telerik Fiddler v5.0.20182.28034 no verifica el hash de EnableLoopback.exe antes de ejecutarlo, lo que podría provocar la ejecución del código o la escalada de privilegios locales al reemplazar el EnableLoopback.exe original. • https://vuldb.com/?id.135671 • CWE-354: Improper Validation of Integrity Check Value •