Filtered by vendor Facebook
Subscribe
Total
127 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-6333 | 1 Facebook | 1 Nuclide | 2025-05-06 | 7.5 HIGH | 9.8 CRITICAL |
| The hhvm-attach deep link handler in Nuclide did not properly sanitize the provided hostname parameter when rendering. As a result, a malicious URL could be used to render HTML and other content inside of the editor's context, which could potentially be chained to lead to code execution. This issue affected Nuclide prior to v0.290.0. | |||||
| CVE-2022-36938 | 1 Facebook | 1 Redex | 2025-05-01 | N/A | 9.8 CRITICAL |
| DexLoader function get_stringidx_fromdex() in Redex prior to commit 3b44c64 can load an out of bound address when loading the string index table, potentially allowing remote code execution during processing of a 3rd party Android APK file. | |||||
| CVE-2016-6872 | 1 Facebook | 1 Hhvm | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Integer overflow in StringUtil::implode in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. | |||||
| CVE-2016-6874 | 1 Facebook | 1 Hhvm | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The array_*_recursive functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, related to recursion. | |||||
| CVE-2016-6870 | 1 Facebook | 1 Hhvm | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Out-of-bounds write in the (1) mb_detect_encoding, (2) mb_send_mail, and (3) mb_detect_order functions in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. | |||||
| CVE-2016-6871 | 1 Facebook | 1 Hhvm | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Integer overflow in bcmath in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors, which triggers a buffer overflow. | |||||
| CVE-2016-6875 | 1 Facebook | 1 Hhvm | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Infinite recursion in wddx in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. | |||||
| CVE-2016-6873 | 1 Facebook | 1 Hhvm | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Self recursion in compact in Facebook HHVM before 3.15.0 allows attackers to have unspecified impact via unknown vectors. | |||||
| CVE-2014-5386 | 1 Facebook | 1 Hiphop Virtual Machine | 2025-04-12 | 5.0 MEDIUM | N/A |
| The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initialization vector. | |||||
| CVE-2014-6228 | 1 Facebook | 1 Hiphop Virtual Machine | 2025-04-12 | 7.5 HIGH | N/A |
| Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split function. | |||||
| CVE-2014-9714 | 1 Facebook | 1 Hiphop Virtual Machine | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the WddxPacket::recursiveAddVar function in HHVM (aka the HipHop Virtual Machine) before 3.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted string to the wddx_serialize_value function. | |||||
| CVE-2014-2208 | 1 Facebook | 1 Hiphop Virtual Machine | 2025-04-12 | 7.5 HIGH | N/A |
| CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string. | |||||
| CVE-2014-2209 | 1 Facebook | 1 Hiphop Virtual Machine | 2025-04-12 | 5.0 MEDIUM | N/A |
| Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory. | |||||
| CVE-2014-6392 | 1 Facebook | 2 Facebook, Facebook Messenger | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Facebook app 14.0 and the Facebook Messenger app 10.0 for iOS allows remote attackers to inject arbitrary web script or HTML via a crafted filename extension that is improperly handled during MIME sniffing of chat traffic. NOTE: the vendor disputes the significance of this report, because the user must accept an interstitial warning before the HTML file content is rendered, and because the HTML content's origin is a sandbox domain | |||||
| CVE-2014-6229 | 1 Facebook | 1 Hiphop Virtual Machine | 2025-04-12 | 5.0 MEDIUM | N/A |
| The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string, and makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging truncation of a string containing an internal '\0' character. | |||||
| CVE-2022-4899 | 1 Facebook | 1 Zstandard | 2025-02-18 | N/A | 7.5 HIGH |
| A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun. | |||||
| CVE-2023-23556 | 1 Facebook | 1 Hermes | 2025-01-31 | N/A | 9.8 CRITICAL |
| An error in BigInt conversion to Number in Hermes prior to commit a6dcafe6ded8e61658b40f5699878cd19a481f80 could have been used by a malicious attacker to execute arbitrary code due to an out-of-bound write. Note that this bug is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected. | |||||
| CVE-2023-30792 | 1 Facebook | 1 Lexical | 2025-01-30 | N/A | 6.1 MEDIUM |
| Anchor tag hrefs in Lexical prior to v0.10.0 would render javascript: URLs, allowing for cross-site scripting on link clicks in cases where input was being parsed from untrusted sources. | |||||
| CVE-2022-36937 | 1 Facebook | 1 Hhvm | 2025-01-27 | N/A | 9.8 CRITICAL |
| HHVM 4.172.0 and all prior versions use TLS 1.0 for secure connections when handling tls:// URLs in the stream extension. TLS1.0 has numerous published vulnerabilities and is deprecated. HHVM 4.153.4, 4.168.2, 4.169.2, 4.170.2, 4.171.1, 4.172.1, 4.173.0 replaces TLS1.0 with TLS1.3. Applications that call stream_socket_server or stream_socket_client functions with a URL starting with tls:// are affected. | |||||
| CVE-2023-23557 | 1 Facebook | 1 Hermes | 2025-01-21 | N/A | 9.8 CRITICAL |
| An error in Hermes' algorithm for copying objects properties prior to commit a00d237346894c6067a594983be6634f4168c9ad could be used by a malicious attacker to execute arbitrary code via type confusion. Note that this is only exploitable in cases where Hermes is used to execute untrusted JavaScript. Hence, most React Native applications are not affected. | |||||