QwikSec

Security Database

CVE

CWE

Training

CVE-2014-6041

Published: Sep 2, 2014

Modified: Aug 6, 2024

PUBLISHED

Description

The Android WebView in Android before 4.4 allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick="window.open('\u0000javascript: sequence to the Android Browser application 4.2.1 or a third-party web browser.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

vdb-entry

x_refsource_BID

http://www.rafayhackingarticles.net/2014/08/android-browser-same-origin-policy.html

x_refsource_MISC

https://news.ycombinator.com/item?id=8325807

x_refsource_CONFIRM

https://android.googlesource.com/platform/external/webkit/+/1368e05e8875f00e8d2529fe6050d08b55ea4d87

x_refsource_CONFIRM

https://community.rapid7.com/community/metasploit/blog/2014/09/15/major-android-bug-is-a-privacy-disaster-cve-2014-6041

x_refsource_MISC

https://android.googlesource.com/platform/external/webkit/+/7e4405a7a12750ee27325f065b9825c25b40598c

x_refsource_CONFIRM

google-android-cve20146041-sec-bypass(95693)

vdb-entry

x_refsource_XF

https://news.ycombinator.com/item?id=8321185

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.