Vulnerabilities > Facebook > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-19 | CVE-2023-5654 | Unspecified vulnerability in Facebook React-Devtools The React Developer Tools extension registers a message listener with window.addEventListener('message', <listener>) in a content script that is accessible to any webpage that is active in the browser. | 6.5 |
| 2023-04-29 | CVE-2023-30792 | Cross-site Scripting vulnerability in Facebook Lexical Anchor tag hrefs in Lexical prior to v0.10.0 would render javascript: URLs, allowing for cross-site scripting on link clicks in cases where input was being parsed from untrusted sources. | 6.1 |
| 2022-03-23 | CVE-2020-20093 | Unspecified vulnerability in Facebook Messenger The Facebook Messenger app for iOS 227.0 and prior and Android 228.1.0.10.116 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages. | 6.5 |
| 2022-03-23 | CVE-2020-20094 | Unspecified vulnerability in Facebook Instagram Instagram iOS 106.0 and prior and Android 107.0.0.11 and prior user interface does not properly represent URI messages to the user, which results in URI spoofing via specially crafted messages | 6.5 |
| 2021-03-09 | CVE-2021-24033 | OS Command Injection vulnerability in Facebook React-Dev-Utils react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. | 5.6 |
| 2021-03-04 | CVE-2021-24032 | Incorrect Default Permissions vulnerability in Facebook Zstandard Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. | 4.7 |
| 2021-03-04 | CVE-2021-24031 | Incorrect Default Permissions vulnerability in Facebook Zstandard In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. | 5.5 |
| 2020-02-19 | CVE-2016-1000109 | Improper Initialization vulnerability in Facebook Hhvm HHVM does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. | 5.3 |
| 2019-01-15 | CVE-2019-3554 | Data Processing Errors vulnerability in Facebook Wangle Wangle's AcceptRoutingHandler incorrectly casts a socket when accepting a TLS 1.3 connection, leading to a potential denial of service attack against systems accepting such connections. | 5.9 |
| 2018-12-31 | CVE-2018-6341 | Cross-site Scripting vulnerability in Facebook React React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. | 6.1 |