CVE-2017-17536 Information

Description

Phabricator before 2017-11-10 does not block the –config and –debugger flags to the Mercurial hg program which allows remote attackers to execute arbitrary code by using the web UI to browse a branch whose name begins with a –config= or –debugger= substring.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Reference

https://hackerone.com/reports/288704 https://secure.phabricator.com/T13012

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8