CVE-2012-6636

Severity

68%

Complexity

86%

Confidentiality

106%

The Android API before 17 does not properly restrict the WebView.addJavascriptInterface method, which allows remote attackers to execute arbitrary methods of Java objects by using the Java Reflection API within crafted JavaScript code that is loaded into the WebView component in an application targeted to API level 16 or earlier, a related issue to CVE-2013-4710.

The Android API before 17 does not properly restrict the WebView.addJavascriptInterface method, which allows remote attackers to execute arbitrary methods of Java objects by using the Java Reflection API within crafted JavaScript code that is loaded into the WebView component in an application targeted to API level 16 or earlier, a related issue to CVE-2013-4710.

CVSS 2.0 Base Score 6.8. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P).

Overview

Type

Google Android API

First reported 10 years ago

2014-03-03 04:50:00

Last updated 8 years ago

2016-06-02 02:20:00

Affected Software

Google Android API 1.0 (1)

1.0

Google Android API 2.0 (2)

2.0

Google Android API 3.0 (3)

3.0

Google Android API 4.0 (4)

4.0

Google Android API 5.0 (5)

5.0

Google Android API 6.0 (6)

6.0

Google Android API 7.0 (7)

7.0

Google Android API 8.0 (8)

8.0

Google Android API 9.0 (9)

9.0

Google Android API 10.0 (10)

10.0

Google Android API 11.0 (11)

11.0

Google Android API 12.0 (12)

12.0

Google Android API 13.0 (13)

13.0

Google Android API 14.0 (14)

14.0

Google Android API 15.0 (15)

15.0

References

http://50.56.33.56/blog/?p=314

http://developer.android.com/reference/android/os/Build.VERSION_CODES.html#JELLY_BEAN_MR1

http://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface%28java.lang.Object,%20java.lang.String%29

[oss-security] 20140207 Re: CVE request: multiple issues in Apache Cordova/PhoneGap

http://www.cs.utexas.edu/~shmat/shmat_ndss14nofrak.pdf

Exploit

http://www.internetsociety.org/ndss2014/programme#session3

https://support.lenovo.com/us/en/product_security/len_6421

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.