Allele Security Alert
Command Injection via URI handling
Sourcetree for Windows starting with 0.5a before version 3.0.10
Sourcetree for Windows version 3.0.10
Proof of concept
Sourcetree for Windows before version 3.0.10 was vulnerable to CVE-2018-20236. A remote attacker able to send a URI to a Sourcetree for Windows user is able to exploit this issue to gain code execution on the system.
Terry Zhang (Tophant)
Sourcetree Security Advisory 2019-03-06
Command Injection via URI handling in Sourcetree for Windows – CVE-2018-20236
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: March 12, 2019