CVE-2017-17536

Name of the Vulnerable Software and Affected Versions Phabricator versions prior to 2017-11-10

Description The issue allows remote attackers to execute arbitrary code by using the web UI to browse a branch whose name begins with a --config= or --debugger= substring, due to the failure to block the --config and --debugger flags to the Mercurial hg program.

Recommendations For versions prior to 2017-11-10, update to a version released after 2017-11-10 to resolve the issue. As a temporary workaround, consider restricting access to the Mercurial hg program or disabling the web UI functionality that allows browsing branches with specially crafted names.