CVE-2020-9443

CVE-2020-9443 affects Zulip Desktop prior to 4.0.3. The issue arises from loading untrusted content in an Electron webview with web security disabled, enabling cross-site scripting (XSS) in multiple ways. The vulnerability notably impacts Zulip Desktop 2.3.82. The public documentation notes this ...

CVE-2020-9443

Zulip Desktop before 4.0.3 loaded untrusted content in an Electron webview with web security disabled, which can be exploited for XSS in a number of ways. This especially affects Zulip Desktop 2.3.82...

(Pwn2Own) Xiaomi Mi9 Browser Untrusted Site Redirection Remote Code Execution Vulnerability

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Xiaomi Mi9 Browser. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within Xiaom...

CVE-2020-9530

An issue was discovered on Xiaomi MIUI V11.0.5.0.QFAEUXM devices. The export component of GetAppscom.xiaomi.mipicks mishandles the functionality of opening other components. Attackers need to induce users to open specific web pages in a specific network environment. By jumping to the WebView...

CVE-2020-9530

An issue was discovered on Xiaomi MIUI V11.0.5.0.QFAEUXM devices. The export component of GetAppscom.xiaomi.mipicks mishandles the functionality of opening other components. Attackers need to induce users to open specific web pages in a specific network environment. By jumping to the WebView...

Design/Logic Flaw

An issue was discovered on Xiaomi MIUI V11.0.5.0.QFAEUXM devices. The export component of GetAppscom.xiaomi.mipicks mishandles the functionality of opening other components. Attackers need to induce users to open specific web pages in a specific network environment. By jumping to the WebView...

VulnCheck KEV: CVE-2018-1000136

Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node...

CVE-2014-4968

The WebView class and use of the WebView.addJavascriptInterface method in the Boat Browser application 8.0 and 8.0.1 for Android allow remote attackers to execute arbitrary code via a crafted web site, a related issue to CVE-2012-6636...

Design/Logic Flaw

The WebView class and use of the WebView.addJavascriptInterface method in the Boat Browser application 8.0 and 8.0.1 for Android allow remote attackers to execute arbitrary code via a crafted web site, a related issue to CVE-2012-6636...

CVE-2014-4968

The CVE-2014-4968 entry corresponds to a vulnerability in Boat Browser for Android (versions 8.0 and 8.0.1) where the WebView.addJavascriptInterface usage in the app’s WebView allows remote code execution via a crafted web site. This is related to CVE-2012-6636. Exploit details are publicly docum...

CVE-2014-4968

The WebView class and use of the WebView.addJavascriptInterface method in the Boat Browser application 8.0 and 8.0.1 for Android allow remote attackers to execute arbitrary code via a crafted web site, a related issue to CVE-2012-6636...

CVE-2019-0219

A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application's webview using a specially crafted gap-iab: URI...

CVE-2019-0219

A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application's webview using a specially crafted gap-iab: URI...

CVE-2019-0219

CVE-2019-0219 affects Cordova InAppBrowser plugin in Cordova Android apps prior to version 3.1.0. A website running in the InAppBrowser webview can exploit a specially crafted gap-iab: URI to execute arbitrary JavaScript in the host app’s main webview, enabling potential privilege escalation. Doc...

CVE-2019-0219

A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application's webview using a specially crafted gap-iab: URI...

EUVD-2020-0969

A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application's webview using a specially crafted gap-iab: URI...

CVE-2019-16681

The Traveloka application 3.14.0 for Android exports com.traveloka.android.activity.common.WebViewActivity, leading to the opening of arbitrary URLs, which can inject deceptive content into the UI. When in physical possession of the device, opening local files is also possible. NOTE: As of...

Lark Technologies: [Lark Android] Vulnerability in exported activity WebView

A vulnerability was found in Lark Android exported activity web view which could have potentially been used to send a malicious URL to WebView and replace the content in the application with malicious code. We thank @shellc0de for reporting this to our team...

Security Bulletin: MaaS360 has identified a vulnerability in the MaaS360 Android Application. (CVE-2019-4501)

Summary A vulnerability was identified and remediated in the MaaS360 Android Application version 6.70. Vulnerability Details CVEID: CVE-2019-4501 DESCRIPTION: When using MaaS360 Android application in Android Enterprise Managed Work Profile Mode using Single Sign-On through a web view application...

Nextcloud: Blind Stored XSS on iOS App due to Unsanitized Webview

Hi Team! I found a Blind XSS can executed on iOS App due to unsanitized webview. Using this issue, attacker can extract information from victim. Steps To Reproduce: 1. Upload malicious HTML, share to victim 2. Waiting victim to open it F487447 F487448 HTML payload attached, don't forget to change...