JVN#33044255 GreaseKit and Creammonkey allows execution of userscript functions

2007-12-26T00:00:00
ID JVN:33044255
Type jvn
Reporter Japan Vulnerability Notes
Modified 2008-05-21T00:00:00

Description

## Description

GreaseKit and Creammonkey are plugins that enable user scripting to Safari and other Apple Webkit applications, and they provide APIs callable only from userscripts.
GreaseKit and Creammonkey are vulnerable in allowing APIs called from a web page.

## Impact

When a user views a specially crafted web page, a remote attacker can read or modify the configuration, or send HTTP requests to arbitrary websites via the above functions, within the web page on which a userscript is configured to run.

## Solution

Update the Software
Apply the latest update provided by the developer.
If you use Creammonkey, we recommend that you upgrade to the latest version of its successor GreaseKit, available from the developer's website.

## Products Affected

  • GreaseKit 1.2 through 1.3
  • Creammonkey 0.9 through 1.1 GreaseKit is the successor to Creammonkey.