Vulnerabilities > Facebook

DATE CVE VULNERABILITY TITLE RISK
2021-09-10 CVE-2021-39207 Deserialization of Untrusted Data vulnerability in Facebook Parlai
parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets.
network
low complexity
facebook CWE-502
6.5
2021-09-10 CVE-2021-24040 Deserialization of Untrusted Data vulnerability in Facebook Parlai
Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks.
network
low complexity
facebook CWE-502
7.5
2021-07-23 CVE-2021-24036 Out-of-bounds Write vulnerability in Facebook Folly
Passing an attacker controlled size when creating an IOBuf could cause integer overflow, leading to an out of bounds write on the heap with the possibility of remote code execution.
network
low complexity
facebook CWE-787
7.5
2021-06-15 CVE-2021-24037 Use After Free vulnerability in Facebook Hermes
A use after free in hermes, while emitting certain error messages, prior to commit d86e185e485b6330216dee8e854455c694e3a36e allows attackers to potentially execute arbitrary code via crafted JavaScript.
network
low complexity
facebook CWE-416
7.5
2021-06-01 CVE-2020-1920 Unspecified vulnerability in Facebook React-Native
A regular expression denial of service (ReDoS) vulnerability in the validateBaseUrl function can cause the application to use excessive resources, become unresponsive, or crash.
network
low complexity
facebook
5.0
2021-04-12 CVE-2021-24218 Cross-Site Request Forgery (CSRF) vulnerability in Facebook
The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection.
network
facebook CWE-352
6.8
2021-03-15 CVE-2021-24029 Reachable Assertion vulnerability in Facebook Mvfst and Proxygen
A packet of death scenario is possible in mvfst via a specially crafted message during a QUIC session, which causes a crash via a failed assertion.
network
low complexity
facebook CWE-617
5.0
2021-03-11 CVE-2020-1900 Use After Free vulnerability in Facebook Hhvm
When unserializing an object with dynamic properties HHVM needs to pre-reserve the full size of the dynamic property array before inserting anything into it.
network
low complexity
facebook CWE-416
7.5
2021-03-11 CVE-2020-1899 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Facebook Hhvm
The unserialize() function supported a type code, "S", which was meant to be supported only for APC serialization.
network
low complexity
facebook CWE-119
5.0
2021-03-11 CVE-2020-1898 Uncontrolled Recursion vulnerability in Facebook Hhvm
The fb_unserialize function did not impose a depth limit for nested deserialization.
network
low complexity
facebook CWE-674
5.0