CVE-2018-6333

{"id": "CVE-2018-6333", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2018-12-31T23:29:00.283", "references": [{"url": "https://github.com/facebook/nuclide/commit/65f6bbd683404be1bb569b8d1be84b5d4c74a324", "tags": ["Patch", "Third Party Advisory"], "source": "cve-assign@fb.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Secondary", "source": "cve-assign@fb.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The hhvm-attach deep link handler in Nuclide did not properly sanitize the provided hostname parameter when rendering. As a result, a malicious URL could be used to render HTML and other content inside of the editor's context, which could potentially be chained to lead to code execution. This issue affected Nuclide prior to v0.290.0."}, {"lang": "es", "value": "El gestor hhvm-attach deep link en Nuclide no sanea debidamente el par\u00e1metro hostname proporcionado durante la renderizaci\u00f3n. En consecuencia, una URL maliciosa podr\u00eda utilizarse para renderizar HTML y otro tipo de contenido dentro del contexto del editor, lo cual podr\u00eda ser encadenado para provocar la ejecuci\u00f3n de c\u00f3digo. Esto afecta a las versiones de Nuclide anteriores a la v0.290.0."}], "lastModified": "2019-10-09T23:41:46.190", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:facebook:nuclide:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E94F33FD-6897-4D79-9A82-0B947F4AE7EB", "versionEndExcluding": "0.290.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve-assign@fb.com"}