Vulnerabilities > Facebook > Hiphop Virtual Machine > Medium
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2015-04-13 | CVE-2014-9714 | Cross-site Scripting vulnerability in Facebook Hiphop Virtual Machine Cross-site scripting (XSS) vulnerability in the WddxPacket::recursiveAddVar function in HHVM (aka the HipHop Virtual Machine) before 3.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted string to the wddx_serialize_value function. | 4.3 |
2014-12-28 | CVE-2014-6229 | Information Exposure vulnerability in Facebook Hiphop Virtual Machine The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string, and makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging truncation of a string containing an internal '\0' character. | 5.0 |
2014-12-28 | CVE-2014-5386 | Cryptographic Issues vulnerability in Facebook Hiphop Virtual Machine The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initialization vector. | 5.0 |
2014-12-28 | CVE-2014-2209 | Permissions, Privileges, and Access Controls vulnerability in Facebook Hiphop Virtual Machine Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory. | 5.0 |