Description
The hhvm-attach deep link handler in Nuclide did not properly sanitize the provided hostname parameter when rendering. As a result, a malicious URL could be used to render HTML and other content inside of the editor's context, which could potentially be chained to lead to code execution. This issue affected Nuclide prior to v0.290.0.
Remediation
References
https://github.com/facebook/nuclide/commit/65f6bbd683404be1bb569b8d1be84b5d4c74a324
Related Vulnerabilities
CVE-2019-10383 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2020-1695 Vulnerability in maven package org.jboss.resteasy:resteasy-jaxrs
CVE-2022-24901 Vulnerability in npm package parse-server
CVE-2023-37960 Vulnerability in maven package io.jenkins.plugins:mathworks-polyspace
CVE-2022-35916 Vulnerability in npm package @openzeppelin/contracts-upgradeable