CVE-2020-13661

Telerik Fiddler through 5.0.20202.18177 allows attackers to execute arbitrary programs via a hostname with a trailing space character, followed by --utility-and-browser --utility-cmd-prefix= and the pathname of a locally installed program. The victim must interactively choose the Open On Browser option. Fixed in version 5.0.20204.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 67%
VendorProductVersion
telerikfiddler
𝑥
≤ 5.0.20202.18177
𝑥
= Vulnerable software versions
References
https://www.nagenrauft-consulting.com/blog/
https://www.telerik.com/support/whats-new/fiddler/release-history/fiddler-v5.0.20204
https://www.telerik.com/support/whats-new/release-history
https://www.nagenrauft-consulting.com/blog/
https://www.telerik.com/support/whats-new/fiddler/release-history/fiddler-v5.0.20204
https://www.telerik.com/support/whats-new/release-history