CVE-2012-6636

critical

Description

The Android API before 17 does not properly restrict the WebView.addJavascriptInterface method, which allows remote attackers to execute arbitrary methods of Java objects by using the Java Reflection API within crafted JavaScript code that is loaded into the WebView component in an application targeted to API level 16 or earlier, a related issue to CVE-2013-4710.

References

https://support.lenovo.com/us/en/product_security/len_6421

http://www.internetsociety.org/ndss2014/programme#session3

http://openwall.com/lists/oss-security/2014/02/07/9

http://jvn.jp/en/jp/JVN62161191/index.html

http://developer.android.com/reference/android/webkit/WebView.html#addJavascriptInterface%28java.lang.Object%2C%20java.lang.String%29

http://developer.android.com/reference/android/os/Build.VERSION_CODES.html#JELLY_BEAN_MR1

http://50.56.33.56/blog/?p=314

Details

Source: Mitre, NVD

Published: 2014-03-03

Updated: 2025-04-12

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.6055