CVE-2018-6333

CRITICAL

Nuclide < 0.290.0 - Cross-Site Scripting via hhvm-attach Deep Link Hostname Parameter

Title source: llm
STIX 2.1

Description

The hhvm-attach deep link handler in Nuclide did not properly sanitize the provided hostname parameter when rendering. As a result, a malicious URL could be used to render HTML and other content inside of the editor's context, which could potentially be chained to lead to code execution. This issue affected Nuclide prior to v0.290.0.

References (1)

Core 1

Scores

CVSS v3 9.8
EPSS 0.0233
EPSS Percentile 81.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-20 CWE-79
Status published
Products (2)
facebook/nuclide < 0.290.0
npm/nuclide 0 - 0.290.0npm
Published Dec 31, 2018
Tracked Since Feb 18, 2026