7 matches found
CVE-2019-3570
CVE-2019-3570 affects Facebook HHVM: call to scrypt_enc() can trigger heap corruption when attacker-controlled N, r, p parameters are used in contexts where the output is re-verified with the same parameters. Impacted versions include 4.3.0–4.8.0, 3.30.5 and earlier, and all of 4.0, 4.1, and 4.2 ...
CVE-2014-9714
HHVM’s WddxPacket::recursiveAddVar enables cross-site scripting (XSS) via the wddx_serialize_value path when processing crafted strings, affected in HHVM prior to 3.5.0. The vulnerability is remote-executed and linked to a failure to filter input in WddxPacket::recursiveAddVar. Affected component...
CVE-2014-5386
CVE-2014-5386 affects Facebook HHVM: the mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp does not seed the random number generator before HHVM 3.3.0, which enables remote attackers to defeat cryptographic protections by reusing a single initialization vector. Root cause is lac...
CVE-2014-6228
HHVM before 3.3.0 is affected by an integer overflow in the string_chunk_split function (zend-string.cpp) that can be triggered by crafted chunk_split arguments, allowing remote denial of service (application crash) or potentially other impact. The CVE is supported by the NVD entry; no remediatio...
CVE-2014-2209
CVE-2014-2209: HHVM before 3.1.0 fails to drop supplemental group memberships in hphp/util/capability.cpp and hphp/util/light-process.cpp, enabling remote attackers to bypass access restrictions by abusing file/directory group permissions. Affected: Facebook HipHop Virtual Machine (HHVM) prior to...
CVE-2014-2208
The vulnerability CVE-2014-2208 affects Facebook HHVM prior to version 2.4.2. A CRLF injection in the LightProcess protocol implementation (hphp/util/light-process.cpp) allows remote attackers to cause arbitrary command execution by injecting a newline character before the end of a string. Affect...
CVE-2014-6229
CVE-2014-6229 affects Facebook HHVM prior to 3.3.0. The HashContext class in hphp/runtime/ext/ext_hash.cpp improperly assumes a key string terminator as '\0', enabling read access beyond end of string and potentially truncation of an internal '\0' character. Impact is information disclosure and w...