CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2014-2209
https://notcve.org/view.php?id=CVE-2014-2209
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory. Facebook HipHop Virtual Machine (HHVM) anterior a 3.1.0 no baja la pertenencia a grupos complementarios dentro de hphp/util/capability.cpp y hphp/util/light-process.cpp, lo que permite a atacantes remotos saltarse las restricciones de acceso aprovechándose de los permisos de grupo para un archivo o directorio. • https://github.com/facebook/hhvm/commit/851fff90a9b7461df2393af32239ba217bc25946 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 2CVE-2014-9524 – Easy Social Like Box – Popup – Sidebar Widget < 2.8.3 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-9524
Multiple cross-site request forgery (CSRF) vulnerabilities in the Facebook Like Box (cardoza-facebook-like-box) plugin before 2.8.3 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings via unspecified vectors or conduct cross-site scripting (XSS) attacks via the (2) frm_title, (3) frm_url, (4) frm_border_color, (5) frm_width, or (6) frm_height parameter in the slug_for_fb_like_box page to wp-admin/admin.php. Múltiples vulnerabilidades de CSRF en el plugin Facebook Like Box (cardoza-facebook-like-box) anterior a 2.8.3 para WordPress permiten a atacantes remotos secuestrar la autenticación de administradores para solicitudes que (1) cambian las configuraciones de plugins a través de vectores no especificados o realizan ataques de XSS a través del parámetro (2) frm_title, (3) frm_url, (4) frm_border_color, (5) frm_width, o (6) frm_height en la página slug_for_fb_like_box en wp-admin/admin.php. • http://packetstormsecurity.com/files/129506/WordPress-Facebook-Like-Box-2.8.2-CSRF-XSS.html http://secunia.com/advisories/61557 https://wordpress.org/plugins/cardoza-facebook-like-box/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2014-7376
https://notcve.org/view.php?id=CVE-2014-7376
The Facebook Profits on Steroids (aka com.wFacebookProfitsonSteroids) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. La aplicación para Facebook Profits on Steroids (también conocida como com.wFacebookProfitsonSteroids ) 0.1 no verifica los certificados X.509 de los servidores SSL, lo que permite a atacantes man-in-the-middle suplantar servidores y obtener información sensible a través de un certificado manipulado. • http://www.kb.cert.org/vuls/id/383529 http://www.kb.cert.org/vuls/id/582497 https://docs.google.com/spreadsheets/d/1t5GXwjw82SyunALVJb2w0zi3FoLRIkfGPc7AMjRF0r4/edit?usp=sharing • CWE-310: Cryptographic Issues •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2014-6392
https://notcve.org/view.php?id=CVE-2014-6392
Cross-site scripting (XSS) vulnerability in the Facebook app 14.0 and the Facebook Messenger app 10.0 for iOS allows remote attackers to inject arbitrary web script or HTML via a crafted filename extension that is improperly handled during MIME sniffing of chat traffic. NOTE: the vendor disputes the significance of this report, because the user must accept an interstitial warning before the HTML file content is rendered, and because the HTML content's origin is a sandbox domain ** DISPUTADA ** Vulnerabilidad de XSS en la aplicación Facebook 14.0 y la aplicación Facebook Messenger 10.0 para iOS permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través de una extensión de nombres de ficheros que se maneja incorrectamente durante la captura de trafico MIME del chat. NOTA: el proveedor disputa la relevancia de este informe, porque el usuario debe aceptar un aviso interesticial antes de que se renderice el contenido del fichero HTML y porque el origen del contenido HTML se trata de un dominio sandbox. • http://seclists.org/fulldisclosure/2014/Sep/13 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.3EPSS: 33%CPEs: 2EXPL: 3CVE-2008-5711 – Facebook Photo Uploader 4 - ActiveX Control Buffer Overflow
https://notcve.org/view.php?id=CVE-2008-5711
Heap-based buffer overflow in the Facebook PhotoUploader ActiveX control 5.0.14.0 and earlier allows remote attackers to execute arbitrary code via a long FileMask property value. Desbordamiento de búfer basado en montículo en el control ActiveX de Facebook PhotoUploader 5.0.14.0 y anteriores permite a atacantes remotos ejecutar código de su elección mediante un valor de la propiedad FileMask largo. • https://www.exploit-db.com/exploits/16505 https://www.exploit-db.com/exploits/5049 https://www.exploit-db.com/exploits/5102 http://securityreason.com/securityalert/4805 http://www.securityfocus.com/bid/27756 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •