CVE-2014-9714

Name of the Vulnerable Software and Affected Versions HHVM versions prior to 3.5.0

Description A cross-site scripting issue exists due to a flaw in the WddxPacket::recursiveAddVar function. This allows remote attackers to inject arbitrary web script or HTML via a crafted string to the wddx serialize value function.

Recommendations For versions prior to 3.5.0, update to version 3.5.0 or later to resolve the issue. As a temporary workaround, consider restricting input to the wddx serialize value function to minimize the risk of exploitation.