CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 1CVE-2018-6341
https://notcve.org/view.php?id=CVE-2018-6341
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2. Aplicaciones "react" que renderizaban a HTML mediante la API APIReactDOMServer no escapaban nombres de atributo proporcionados por el usuario a la hora de renderizar. • https://github.com/ossf-cve-benchmark/CVE-2018-6341 https://reactjs.org/blog/2018/08/01/react-v-16-4-2.html https://twitter.com/reactjs/status/1024745321987887104 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-6343
https://notcve.org/view.php?id=CVE-2018-6343
Proxygen fails to validate that a secondary auth manager is set before dereferencing it. That can cause a denial of service issue when parsing a Certificate/CertificateRequest HTTP2 Frame over a fizz (TLS 1.3) transport. This issue affects Proxygen releases starting from v2018.10.29.00 until the fix in v2018.11.19.00. Proxygen no logra validar que un gestor de autenticación secundario sea fijado antes de desreferenciarse. Esto podría provocar una denegación de servicio (DoS) cuando se analiza un frame HTTP2 "Certificate/CertificateRequest" sobre un transporte del tipo fizz (TLS 1.3). • https://github.com/facebook/proxygen/commit/0600ebe59c3e82cd012def77ca9ca1918da74a71 • CWE-20: Improper Input Validation CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2018-6335
https://notcve.org/view.php?id=CVE-2018-6335
A Malformed h2 frame can cause 'std::out_of_range' exception when parsing priority meta data. This behavior can lead to denial-of-service. This affects all supported versions of HHVM (3.25.2, 3.24.6, and 3.21.10 and below) when using the proxygen server to handle HTTP2 requests. Un frame h2 malformado puede provocar una excepción 'std::out_of_range' durante el análisis de metadatos prioritarios. Este comportamiento puede provocar una denegación de servicio (DoS). • https://github.com/facebook/hhvm/commit/4cb57dd753a339654ca464c139db9871fe961d56 https://hhvm.com/blog/2018/05/04/hhvm-3.25.3.html • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2018-6334
https://notcve.org/view.php?id=CVE-2018-6334
Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below). Subidas del tipo "Multipart-file" llaman a variables para que se registren indebidamente en el ámbito global. En los casos en los que las variables no se declaran explícitamente antes de usarse, esto puede provocar un comportamiento no esperado. • https://github.com/facebook/hhvm/commit/6937de5544c3eead3466b75020d8382080ed0cff https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html • CWE-20: Improper Input Validation CWE-621: Variable Extraction Error •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2018-6332
https://notcve.org/view.php?id=CVE-2018-6332
A potential denial-of-service issue in the Proxygen handling of invalid HTTP2 settings which can cause the server to spend disproportionate resources. This affects all supported versions of HHVM (3.24.3 and 3.21.7 and below) when using the proxygen server to handle HTTP2 requests. Un problema de denegación de servicio (DoS) potencial en la gestión de Proxygen de configuraciones HTTP2 no válidas puede provocar que el servidor emplee una cantidad desproporcionada de recursos. Esto afecta a todas las versiones soportadas de HHVM (3.24.3 y 3.21.7 y anteriores) cuando se utiliza el servidor proxygen para gestionar peticiones HTTP2. • https://hhvm.com/blog/2018/03/15/hhvm-3.25.html • CWE-19: Data Processing Errors CWE-400: Uncontrolled Resource Consumption •