Lucene search

[email protected]CVE-2011-2357

HistoryAug 12, 2011 - 6:55 p.m.

CVE-2011-2357

2011-08-1218:55:04

CWE-20

[email protected]

web.nvd.nist.gov

cve-2011-2357

android

vulnerability

cross-application scripting

sandbox bypass

arbitrary javascript

security

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.4 Medium

AI Score

Confidence

High

0.013 Low

EPSS

Percentile

86.1%

JSON

Cross-application scripting vulnerability in the Browser URL loading functionality in Android 2.3.4 and 3.1 allows local applications to bypass the sandbox and execute arbitrary Javascript in arbitrary domains by (1) causing the MAX_TAB number of tabs to be opened, then loading a URI to the targeted domain into the current tab, or (2) making two startActivity function calls beginning with the targeted domain’s URI followed by the malicious Javascript while the UI focus is still associated with the targeted domain.

Affected configurations

NVD

Node

googleandroidMatch2.3.4

googleandroidMatch3.1

CPENameOperatorVersion
google:androidgoogle androideq2.3.4
google:androidgoogle androideq3.1

CPE	Name	Operator	Version
google:android	google android	eq	2.3.4
google:android	google android	eq	3.1

References

android.git.kernel.org/?p=platform/cts.git%3Ba=commit%3Bh=7e48fb87d48d27e65942b53b7918288c8d740e17

android.git.kernel.org/?p=platform/packages/apps/Browser.git%3B%20a=commit%3Bh=096bae248453abe83cbb2e5a2c744bd62cdb620b

android.git.kernel.org/?p=platform/packages/apps/Browser.git%3B%20a=commit%3Bh=afa4ab1e4c1d645e34bd408ce04cadfd2e5dae1e

blog.watchfire.com/files/advisory-android-browser.pdf

blog.watchfire.com/wfblog/2011/08/android-browser-cross-application-scripting-cve-2011-2357.html

osvdb.org/74260

seclists.org/fulldisclosure/2011/Aug/9

secunia.com/advisories/45457

securityreason.com/securityalert/8335

securitytracker.com/id?1025881

www.infsec.cs.uni-saarland.de/projects/android-vuln/

www.infsec.cs.uni-saarland.de/projects/android-vuln/android_xss.pdf

www.securityfocus.com/archive/1/519146/100/0/threaded

www.securityfocus.com/bid/48954

exchange.xforce.ibmcloud.com/vulnerabilities/68937

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.4 Medium

AI Score

Confidence

High

0.013 Low

EPSS

Percentile

86.1%

JSON

Related for CVE-2011-2357

seebug1 securityvulns3 prion1 cvelist1 packetstorm2 android1 nvd1