CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
AI Score
Confidence
Low
EPSS
Percentile
92.0%
Added: 02/11/2014
CVE: CVE-2013-4710
OSVDB: 97520
Android is a Linux-based operating system used primarily on touchscreen mobile devices such as smartphones and tablet computers. It was originally developed by Android Inc., but is now owned by Google. WebView is a sub-class of the Android View API which allows an application developer to load a web page as part of a client application.
The **addJavascriptInterface**
method of WebView exposes a supplied Java object from within WebView to JavaScript. WebView with an API level less than 17 allows all public methods to be accessed, so that it is possible to use **addJavascriptInterface**
to call any unregistered Java class and thereby execute commands remotely in the context of the running application.
Applications developed for Android 4.2 (API level 17) and above are not vulnerable. Users who cannot upgrade their Android version should remove all applications that embed advertisements or ensure that they do not connect to untrusted networks while using applications with embedded advertisements.
http://jvn.jp/en/jp/JVN53768697/
https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/
http://blogs.avg.com/mobile/analyzing-android-webview-exploit/
The user must run a vulnerable application which loads a specially crafted page.
Android