Filtered by vendor Facebook
Subscriptions
Total
124 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-15840 | 1 Facebook | 1 Facebook For Woocommerce | 2024-11-21 | N/A |
| The facebook-for-woocommerce plugin before 1.9.14 for WordPress has CSRF. | ||||
| CVE-2019-11940 | 1 Facebook | 1 Proxygen | 2024-11-21 | 9.8 Critical |
| In the course of decompressing HPACK inside the HTTP2 protocol, an unexpected sequence of header table resize operations can place the header table into a corrupted state, leading to a use-after-free condition and undefined behavior. This issue affects Proxygen from v0.29.0 until v2017.04.03.00. | ||||
| CVE-2019-11939 | 1 Facebook | 1 Thrift | 2024-11-21 | 7.5 High |
| Golang Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2020.03.16.00. | ||||
| CVE-2019-11938 | 1 Facebook | 1 Thrift | 2024-11-21 | 7.5 High |
| Java Facebook Thrift servers would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. This issue affects Facebook Thrift prior to v2019.12.09.00. | ||||
| CVE-2019-11937 | 1 Facebook | 1 Mcrouter | 2024-11-21 | 7.5 High |
| In Mcrouter prior to v0.41.0, a large struct input provided to the Carbon protocol reader could result in stack exhaustion and denial of service. | ||||
| CVE-2019-11936 | 1 Facebook | 1 Hhvm | 2024-11-21 | 9.8 Critical |
| Various APC functions accept keys containing null bytes as input, leading to premature truncation of input. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1. | ||||
| CVE-2019-11935 | 1 Facebook | 1 Hhvm | 2024-11-21 | 9.8 Critical |
| Insufficient boundary checks when processing a string in mb_ereg_replace allows access to out-of-bounds memory. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1. | ||||
| CVE-2019-11934 | 1 Facebook | 1 Folly | 2024-11-21 | 9.8 Critical |
| Improper handling of close_notify alerts can result in an out-of-bounds read in AsyncSSLSocket. This issue affects folly prior to v2019.11.04.00. | ||||
| CVE-2019-11930 | 1 Facebook | 1 Hhvm | 2024-11-21 | 9.8 Critical |
| An invalid free in mb_detect_order can cause the application to crash or potentially result in remote code execution. This issue affects HHVM versions prior to 3.30.12, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.23.1, as well as 4.24.0, 4.25.0, 4.26.0, 4.27.0, 4.28.0, and 4.28.1. | ||||
| CVE-2019-11929 | 1 Facebook | 1 Hhvm | 2024-11-21 | 9.8 Critical |
| Insufficient boundary checks when formatting numbers in number_format allows read/write access to out-of-bounds memory, potentially leading to remote code execution. This issue affects HHVM versions prior to 3.30.10, all versions between 4.0.0 and 4.8.5, all versions between 4.9.0 and 4.18.2, and versions 4.19.0, 4.19.1, 4.20.0, 4.20.1, 4.20.2, 4.21.0, 4.22.0, 4.23.0. | ||||
| CVE-2019-11926 | 1 Facebook | 1 Hhvm | 2024-11-21 | N/A |
| Insufficient boundary checks when processing M_SOFx markers from JPEG headers in the GD extension could allow access to out-of-bounds memory via a maliciously constructed invalid JPEG input. This issue affects HHVM versions prior to 3.30.9, all versions between 4.0.0 and 4.8.3, all versions between 4.9.0 and 4.15.2, and versions 4.16.0 to 4.16.3, 4.17.0 to 4.17.2, 4.18.0 to 4.18.1, 4.19.0, 4.20.0 to 4.20.1. | ||||
| CVE-2019-11925 | 1 Facebook | 1 Hhvm | 2024-11-21 | N/A |
| Insufficient boundary checks when processing the JPEG APP12 block marker in the GD extension could allow access to out-of-bounds memory via a maliciously constructed invalid JPEG input. This issue affects HHVM versions prior to 3.30.9, all versions between 4.0.0 and 4.8.3, all versions between 4.9.0 and 4.15.2, and versions 4.16.0 to 4.16.3, 4.17.0 to 4.17.2, 4.18.0 to 4.18.1, 4.19.0, 4.20.0 to 4.20.1. | ||||
| CVE-2019-11924 | 1 Facebook | 1 Fizz | 2024-11-21 | N/A |
| A peer could send empty handshake fragments containing only padding which would be kept in memory until a full handshake was received, resulting in memory exhaustion. This issue affects versions v2019.01.28.00 and above of fizz, until v2019.08.05.00. | ||||
| CVE-2019-11923 | 1 Facebook | 1 Mcrouter | 2024-11-21 | 7.5 High |
| In Mcrouter prior to v0.41.0, the deprecated ASCII parser would allocate a buffer to a user-specified length with no maximum length enforced, allowing for resource exhaustion or denial of service. | ||||
| CVE-2019-11922 | 1 Facebook | 1 Zstandard | 2024-11-21 | 8.1 High |
| A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used. | ||||
| CVE-2019-11921 | 1 Facebook | 1 Proxygen | 2024-11-21 | N/A |
| An out of bounds write is possible via a specially crafted packet in certain configurations of Proxygen due to improper handling of Base64 when parsing malformed binary content in Structured HTTP Headers. This issue affects versions of proxygen prior to v2019.07.22.00. | ||||
| CVE-2018-6345 | 1 Facebook | 1 Hhvm | 2024-11-21 | 9.8 Critical |
| The function number_format is vulnerable to a heap overflow issue when its second argument ($dec_points) is excessively large. The internal implementation of the function will cause a string to be created with an invalid length, which can then interact poorly with other functions. This affects all supported versions of HHVM (3.30.1 and 3.27.5 and below). | ||||
| CVE-2016-1000109 | 1 Facebook | 1 Hhvm | 2024-11-21 | 5.3 Medium |
| HHVM does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. This issue affects HHVM versions prior to 3.9.6, all versions between 3.10.0 and 3.12.4 (inclusive), and all versions between 3.13.0 and 3.14.2 (inclusive). | ||||
| CVE-2016-1000006 | 1 Facebook | 1 Hhvm | 2024-11-21 | 9.8 Critical |
| hhvm before 3.12.11 has a use-after-free in the serialize_memoize_param() and ResourceBundle::__construct() functions. | ||||
| CVE-2016-1000005 | 1 Facebook | 1 Hhvm | 2024-11-21 | 9.8 Critical |
| mcrypt_get_block_size did not enforce that the provided "module" parameter was a string, leading to type confusion if other types of data were passed in. This issue affects HHVM versions prior to 3.9.5, all versions between 3.10.0 and 3.12.3 (inclusive), and all versions between 3.13.0 and 3.14.1 (inclusive). | ||||