Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for nuclide by facebook

    CVE-2018-6333 (GCVE-0-2018-6333)

    Vulnerability from nvd – Published: 2018-12-31 23:00 – Updated: 2025-05-06 14:39
    VLAI
    Summary
    The hhvm-attach deep link handler in Nuclide did not properly sanitize the provided hostname parameter when rendering. As a result, a malicious URL could be used to render HTML and other content inside of the editor's context, which could potentially be chained to lead to code execution. This issue affected Nuclide prior to v0.290.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Facebook Nuclide Affected: v0.290.0
    Affected: unspecified , ≤ v0.290.0 (custom)
    Create a notification for this product.
    Date Public
    2018-12-31 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T06:01:48.717Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/facebook/nuclide/commit/65f6bbd683404be1bb569b8d1be84b5d4c74a324"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2018-6333",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-01T20:16:45.907309Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-06T14:39:21.844Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Nuclide",
              "vendor": "Facebook",
              "versions": [
                {
                  "status": "affected",
                  "version": "v0.290.0"
                },
                {
                  "lessThanOrEqual": "v0.290.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "dateAssigned": "2018-03-19T00:00:00.000Z",
          "datePublic": "2018-12-31T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The hhvm-attach deep link handler in Nuclide did not properly sanitize the provided hostname parameter when rendering. As a result, a malicious URL could be used to render HTML and other content inside of the editor\u0027s context, which could potentially be chained to lead to code execution. This issue affected Nuclide prior to v0.290.0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-12-31T22:57:01.000Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "facebook"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/facebook/nuclide/commit/65f6bbd683404be1bb569b8d1be84b5d4c74a324"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve-assign@fb.com",
              "DATE_ASSIGNED": "2018-03-19",
              "ID": "CVE-2018-6333",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Nuclide",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "!=\u003e",
                                "version_value": "v0.290.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "v0.290.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Facebook"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The hhvm-attach deep link handler in Nuclide did not properly sanitize the provided hostname parameter when rendering. As a result, a malicious URL could be used to render HTML and other content inside of the editor\u0027s context, which could potentially be chained to lead to code execution. This issue affected Nuclide prior to v0.290.0."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Neutralization of Input During Web Page Generation (CWE-79)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/facebook/nuclide/commit/65f6bbd683404be1bb569b8d1be84b5d4c74a324",
                  "refsource": "MISC",
                  "url": "https://github.com/facebook/nuclide/commit/65f6bbd683404be1bb569b8d1be84b5d4c74a324"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "facebook",
        "cveId": "CVE-2018-6333",
        "datePublished": "2018-12-31T23:00:00.000Z",
        "dateReserved": "2018-01-26T00:00:00.000Z",
        "dateUpdated": "2025-05-06T14:39:21.844Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-6333 (GCVE-0-2018-6333)

    Vulnerability from cvelistv5 – Published: 2018-12-31 23:00 – Updated: 2025-05-06 14:39
    VLAI
    Summary
    The hhvm-attach deep link handler in Nuclide did not properly sanitize the provided hostname parameter when rendering. As a result, a malicious URL could be used to render HTML and other content inside of the editor's context, which could potentially be chained to lead to code execution. This issue affected Nuclide prior to v0.290.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation (CWE-79)
    Assigner
    References
    Impacted products
    Vendor Product Version
    Facebook Nuclide Affected: v0.290.0
    Affected: unspecified , ≤ v0.290.0 (custom)
    Create a notification for this product.
    Date Public
    2018-12-31 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T06:01:48.717Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/facebook/nuclide/commit/65f6bbd683404be1bb569b8d1be84b5d4c74a324"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 9.8,
                  "baseSeverity": "CRITICAL",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2018-6333",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-01T20:16:45.907309Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-06T14:39:21.844Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Nuclide",
              "vendor": "Facebook",
              "versions": [
                {
                  "status": "affected",
                  "version": "v0.290.0"
                },
                {
                  "lessThanOrEqual": "v0.290.0",
                  "status": "affected",
                  "version": "unspecified",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "dateAssigned": "2018-03-19T00:00:00.000Z",
          "datePublic": "2018-12-31T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The hhvm-attach deep link handler in Nuclide did not properly sanitize the provided hostname parameter when rendering. As a result, a malicious URL could be used to render HTML and other content inside of the editor\u0027s context, which could potentially be chained to lead to code execution. This issue affected Nuclide prior to v0.290.0."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Improper Neutralization of Input During Web Page Generation (CWE-79)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-12-31T22:57:01.000Z",
            "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
            "shortName": "facebook"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/facebook/nuclide/commit/65f6bbd683404be1bb569b8d1be84b5d4c74a324"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve-assign@fb.com",
              "DATE_ASSIGNED": "2018-03-19",
              "ID": "CVE-2018-6333",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Nuclide",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "!=\u003e",
                                "version_value": "v0.290.0"
                              },
                              {
                                "version_affected": "\u003c=",
                                "version_value": "v0.290.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Facebook"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The hhvm-attach deep link handler in Nuclide did not properly sanitize the provided hostname parameter when rendering. As a result, a malicious URL could be used to render HTML and other content inside of the editor\u0027s context, which could potentially be chained to lead to code execution. This issue affected Nuclide prior to v0.290.0."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Neutralization of Input During Web Page Generation (CWE-79)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/facebook/nuclide/commit/65f6bbd683404be1bb569b8d1be84b5d4c74a324",
                  "refsource": "MISC",
                  "url": "https://github.com/facebook/nuclide/commit/65f6bbd683404be1bb569b8d1be84b5d4c74a324"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "assignerShortName": "facebook",
        "cveId": "CVE-2018-6333",
        "datePublished": "2018-12-31T23:00:00.000Z",
        "dateReserved": "2018-01-26T00:00:00.000Z",
        "dateUpdated": "2025-05-06T14:39:21.844Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }