CVE-2017-17536

EUVD-2017-8696
Phabricator before 2017-11-10 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary code by using the web UI to browse a branch whose name begins with a --config= or --debugger= substring.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
Affected Products (NVD)
VendorProductVersion
phacilityphabricator
𝑥
< 2017-11-10
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
phabricator
bookworm
unimportant
bullseye
unimportant
sid
unimportant
trixie
unimportant
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
phabricator
artful
ignored
bionic
not-affected
cosmic
ignored
disco
not-affected
eoan
not-affected
focal
not-affected
groovy
not-affected
hirsute
not-affected
impish
not-affected
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
dne
xenial
needed
zesty
ignored
References
https://hackerone.com/reports/288704
https://secure.phabricator.com/T13012
https://hackerone.com/reports/288704
https://secure.phabricator.com/T13012