Phabricator before 2017-11-10 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary code by using the web UI to browse a branch whose name begins with a --config= or --debugger= substring.
References
Link | Resource |
---|---|
https://hackerone.com/reports/288704 | Issue Tracking Third Party Advisory |
https://secure.phabricator.com/T13012 | Issue Tracking Patch Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2022-10-03T16:23:19
Updated: 2022-10-03T16:23:19
Reserved: 2022-10-03T00:00:00
Link: CVE-2017-17536
JSON object: View
NVD Information
Status : Analyzed
Published: 2017-12-11T07:29:00.217
Modified: 2019-10-03T00:03:26.223
Link: CVE-2017-17536
JSON object: View
Redhat Information
No data.
CWE