XSS Vulnerability in Facebook iOS Apps by Facebook
CVE-2014-6392

Currently unrated

Key Information:

Vendor: Facebook
Status: Facebook; Facebook Messenger
Vendor: CVE Published:; 15 September 2014

What is CVE-2014-6392?

A cross-site scripting (XSS) vulnerability exists in the Facebook app version 14.0 and the Facebook Messenger app version 10.0 for iOS. It allows remote attackers to inject arbitrary web scripts or HTML via a specially crafted filename extension that is mishandled during MIME sniffing of chat traffic. Though the vendor asserts that users must acknowledge an interstitial warning before rendering HTML file content, the possibility of exploitation remains a concern due to the nature of the vulnerability.

References

http://seclists.org/fulldisclosure/2014/Sep/13

mailing-listx_refsource_FULLDISC

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 15, 2014
Vulnerability Reserved
Sep 15, 2014