Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
saintSAINT CorporationSAINT:D74C1E9CA1CBCCAF5DAEA2F1C7DC3D4A
HistoryFeb 11, 2014 - 12:00 a.m.

Android WebView addJavascriptInterface Arbitrary Java Method Access

2014-02-1100:00:00
SAINT Corporation
www.saintcorporation.com
37

0.036 Low

EPSS

Percentile

91.7%

JSON

Added: 02/11/2014
CVE: CVE-2013-4710
OSVDB: 97520

Background

Android is a Linux-based operating system used primarily on touchscreen mobile devices such as smartphones and tablet computers. It was originally developed by Android Inc., but is now owned by Google. WebView is a sub-class of the Android View API which allows an application developer to load a web page as part of a client application.

Problem

The **addJavascriptInterface** method of WebView exposes a supplied Java object from within WebView to JavaScript. WebView with an API level less than 17 allows all public methods to be accessed, so that it is possible to use **addJavascriptInterface** to call any unregistered Java class and thereby execute commands remotely in the context of the running application.

Resolution

Applications developed for Android 4.2 (API level 17) and above are not vulnerable. Users who cannot upgrade their Android version should remove all applications that embed advertisements or ensure that they do not connect to untrusted networks while using applications with embedded advertisements.

References

<http://jvn.jp/en/jp/JVN53768697/&gt;
<https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/&gt;
<http://blogs.avg.com/mobile/analyzing-android-webview-exploit/&gt;

Limitations

The user must run a vulnerable application which loads a specially crafted page.

Platforms

Android

Related

saint 3
myhack58 1
hackerone 1
jvn 1
checkpoint_advisories 1
nvd 2
cvelist 2
android 1
cve 2
zdt 1
prion 2
ubuntucve 1
saint
saint
Android WebView addJavascriptInterface Arbitrary Java Method Access
2014-02-11 00:00:00
Android WebView addJavascriptInterface Arbitrary Java Method Access
2014-02-11 00:00:00
Android WebView addJavascriptInterface Arbitrary Java Method Access
2014-02-11 00:00:00
myhack58
myhack58
Millet mobile phone MIUI remote code execution vulnerability analysis-vulnerability warning-the black bar safety net
2014-08-25 00:00:00
hackerone
hackerone
ownCloud: Webview Vulnerablity [OwnCloudAndroid Application]
2015-09-07 11:57:09
jvn
jvn
JVN#53768697: Android OS vulnerable to arbitrary Java method execution
2013-12-17 00:00:00
checkpoint_advisories
checkpoint_advisories
Google Android Denial Of Service (CVE-2013-4710)
2022-05-30 00:00:00
nvd
nvd
CVE-2012-6636
2014-03-03 04:50:46
CVE-2013-4710
2014-03-03 04:50:46
cvelist
cvelist
CVE-2012-6636
2014-03-03 02:00:00
CVE-2013-4710
2014-03-03 02:00:00
android
android
JavaScript to Java
2012-12-21 00:00:00
cve
cve
CVE-2013-4710
2014-03-03 04:50:46
CVE-2012-6636
2014-03-03 04:50:46
zdt
zdt
Android 4.2 Browser and WebView - addJavascriptInterface Code Execution Exploit
2017-03-23 00:00:00
prion
prion
Server side request forgery (ssrf)
2014-03-03 04:50:00
Design/Logic Flaw
2014-03-03 04:50:00
ubuntucve
ubuntucve
CVE-2012-6636
2014-03-03 00:00:00

0.036 Low

EPSS

Percentile

91.7%

JSON
Related for SAINT:D74C1E9CA1CBCCAF5DAEA2F1C7DC3D4A
saint3myhack581hackerone1jvn1checkpoint_advisories1nvd2cvelist2android1cve2zdt1prion2ubuntucve1