CVE-2014-9714

Cross-site scripting XSS vulnerability in the WddxPacket::recursiveAddVar function in HHVM aka the HipHop Virtual Machine before 3.5.0 allows remote attackers to inject arbitrary web script or HTML via a crafted string to the wddxserializevalue function...