CVE-2011-3881Cross-site Scripting in Google Android

CWE-79Cross-site Scripting3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
0.5%
top 33.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Apple Iphone OSApple SafariGoogle Android+1 more
Timeline
PublishedOct 25
Latest updateMay 13

Description

WebKit, as used in Google Chrome before 15.0.874.102 and Android before 4.4, allows remote attackers to bypass the Same Origin Policy and conduct Universal XSS (UXSS) attacks via vectors related to (1) the DOMWindow::clear function and use of a selection object, (2) the Object::GetRealNamedPropertyInPrototypeChain function and use of an __proto__ property, (3) the HTMLPlugInImageElement::allowedToLoadFrameURL function and use of a javascript: URL, (4) incorrect origins for XSLT-generated documen

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

NVDgoogle/chrome< 15.0.874.102
NVDgoogle/android< 4.4
NVDapple/safari< 5.1.4
NVDapple/iphone_os< 5.1

🔴Vulnerability Details

2
GHSA
GHSA-h3qf-j7vv-gw2w: WebKit, as used in Google Chrome before 152022-05-13
OSV
CVE-2011-3881: WebKit, as used in Google Chrome before 152011-10-25