Back to search
CVE-2017-17536
Published: Dec 11, 2017
Modified: Sep 16, 2024
PUBLISHED
Description
Phabricator before 2017-11-10 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary code by using the web UI to browse a branch whose name begins with a --config= or --debugger= substring.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
https://hackerone.com/reports/288704
x_refsource_MISC
https://secure.phabricator.com/T13012
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now