CVE-2020-6506
UNKNOWN
Published 2020-07-22T16:15:58
Actions:
Expert Analysis
Professional remediation guidance
Get tailored security recommendations from our analyst team for CVE-2020-6506. We'll provide specific mitigation strategies based on your environment and risk profile.
No CVSS data available
Description
Insufficient policy enforcement in WebView in Google Chrome on Android prior to 83.0.4103.106 allowed a remote attacker to bypass site isolation via a crafted HTML page.
Available Exploits
No exploits available for this CVE.
Related News
No news articles found for this CVE.
Affected Products
Affected Versions:
GitHub Security Advisories
Community-driven vulnerability intelligence from GitHub
Advisory Details
A universal cross-site scripting (UXSS) vulnerability, CVE-2020-6506 (https://crbug.com/1083819), has been identified in the Android WebView system component, which allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. This vulnerability affects React Native apps which use a `react-native-webview` that allows navigation to arbitrary URLs, and when that app runs on systems with an Android WebView version prior to 83.0.4103.106.
## Pending mitigation
Ensure users update their Android WebView system component via the Google Play Store to 83.0.4103.106 or higher to avoid this UXSS. 'react-native-webview' is working on a mitigation but it could take some time.
### References
https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/
Affected Packages
npm
react-native-webview
ECOSYSTEM:
≥0
<11.0.0
CVSS Scoring
CVSS Score
5.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
References
Advisory provided by GitHub Security Advisory Database. Published: October 2, 2020, Modified: August 3, 2022
References
HackerOne Reports
alesandroortiz
X (Formerly Twitter)
$560.00
Cross-site Scripting (XSS) - Generic
Published: 2020-07-22T16:15:58
Last Modified: 2024-08-04T09:02:40.810Z
Copied to clipboard!