Vulnerabilities > Facebook

DATE CVE VULNERABILITY TITLE RISK
2021-06-15 CVE-2021-24037 USE After Free vulnerability in Facebook Hermes
A use after free in hermes, while emitting certain error messages, prior to commit d86e185e485b6330216dee8e854455c694e3a36e allows attackers to potentially execute arbitrary code via crafted JavaScript.
network
low complexity
facebook CWE-416
7.5
2021-06-01 CVE-2020-1920 Unspecified vulnerability in Facebook React-Native
A regular expression denial of service (ReDoS) vulnerability in the validateBaseUrl function can cause the application to use excessive resources, become unresponsive, or crash.
network
low complexity
facebook
5.0
2021-04-12 CVE-2021-24218 Cross-Site Request Forgery (CSRF) vulnerability in Facebook
The wp_ajax_save_fbe_settings and wp_ajax_delete_fbe_settings AJAX actions of the Facebook for WordPress plugin before 3.0.4 were vulnerable to CSRF due to a lack of nonce protection.
network
facebook CWE-352
6.8
2021-03-15 CVE-2021-24029 Reachable Assertion vulnerability in Facebook Mvfst and Proxygen
A packet of death scenario is possible in mvfst via a specially crafted message during a QUIC session, which causes a crash via a failed assertion.
network
low complexity
facebook CWE-617
5.0
2021-03-11 CVE-2020-1900 USE After Free vulnerability in Facebook Hhvm
When unserializing an object with dynamic properties HHVM needs to pre-reserve the full size of the dynamic property array before inserting anything into it.
network
low complexity
facebook CWE-416
7.5
2021-03-11 CVE-2020-1899 Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Facebook Hhvm
The unserialize() function supported a type code, "S", which was meant to be supported only for APC serialization.
network
low complexity
facebook CWE-119
5.0
2021-03-11 CVE-2020-1898 Uncontrolled Recursion vulnerability in Facebook Hhvm
The fb_unserialize function did not impose a depth limit for nested deserialization.
network
low complexity
facebook CWE-674
5.0
2021-03-10 CVE-2021-24030 Argument Injection OR Modification vulnerability in Facebook Gameroom
The fbgames protocol handler registered as part of Facebook Gameroom does not properly quote arguments passed to the executable.
network
low complexity
facebook CWE-88
7.5
2021-03-10 CVE-2021-24025 Integer Overflow OR Wraparound vulnerability in Facebook Hhvm
Due to incorrect string size calculations inside the preg_quote function, a large input string passed to the function can trigger an integer overflow leading to a heap overflow.
network
low complexity
facebook CWE-190
7.5
2021-03-10 CVE-2020-1921 Out-Of-Bounds Write vulnerability in Facebook Hhvm
In the crypt function, we attempt to null terminate a buffer using the size of the input salt without validating that the offset is within the buffer.
network
low complexity
facebook CWE-787
5.0