CVE-2018-6333

Опубликовано: 31 дек. 2018

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

The hhvm-attach deep link handler in Nuclide did not properly sanitize the provided hostname parameter when rendering. As a result, a malicious URL could be used to render HTML and other content inside of the editor's context, which could potentially be chained to lead to code execution. This issue affected Nuclide prior to v0.290.0.

Ссылки

https://github.com/facebook/nuclide/commit/65f6bbd683404be1bb569b8d1be84b5d4c74a324
Patch
Third Party Advisory
https://github.com/facebook/nuclide/commit/65f6bbd683404be1bb569b8d1be84b5d4c74a324
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:facebook:nuclide:*:*:*:*:*:*:*:*

Версия до 0.290.0 (исключая)

EPSS

Процентиль: 78%

0.01115

Низкий

9.8 Critical

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-79

CWE-20

Связанные уязвимости

GHSA-r83x-wj75-v89r

CVSS3: 9.8

github

больше 3 лет назад

Nuclide Improper Input Validation

EPSS

Процентиль: 78%

0.01115

Низкий

9.8 Critical

CVSS3

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-79

CWE-20