CVE-2012-10032
published 2025-08-05CVE-2012-10032: Maxthon3 version 3.2.2 build 1000 and prior are vulnerable to cross context scripting (XCS) via the about:history page. The browser’s trusted zone improperly…
PriorityP357high8.7CVSS 4.0
AVNACLATNPRNUIPVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
0.85%
53.4th percentile
Maxthon3 version 3.2.2 build 1000 and prior are vulnerable to cross context scripting (XCS) via the about:history page. The browser’s trusted zone improperly handles injected script content, allowing attackers to execute arbitrary JavaScript in a privileged context. This flaw enables modification of browser configuration and execution of arbitrary code through Maxthon’s exposed DOM APIs, including maxthon.program.Program.launch() and maxthon.io.writeDataURL(). Exploitation requires user interaction, typically by visiting a malicious webpage that triggers the injection.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| maxthon_international_ltd | maxthon3_browser | 3.1.7 build 600 – 3.2.2 build 1000 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for JavaScript execution originating from the about:history page in Maxthon3, particularly calls to privileged DOM APIs such as maxthon.program.Program.launch() and maxthon.io.writeDataURL(), which indicate XCS exploitation in the trusted zone. ↗
- →Target Maxthon3 versions 3.1.7 build 600 through 3.2.2 build 1000 are confirmed exploitable; flag or block these specific version strings in endpoint inventory and network traffic. ↗
- →Exploitation requires a user to visit a malicious webpage; monitor web proxy/DNS logs for outbound requests to attacker-controlled pages that may redirect or inject content into the Maxthon about:history trusted zone. ↗
- ·The Metasploit module for this CVE only works against a specific version range; exploitation outside Maxthon 3.1.7 build 600 – 3.2.2 build 1000 has not been confirmed, so version-based detections should be scoped accordingly. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Maxthon International Maxthon3 Browser up to 3.2 cross site scripting (EUVD-2012-6576 / EDB-23225)
vuldb·2026-05-26·CVSS 8.7
CVE-2012-10032 [HIGH] Maxthon International Maxthon3 Browser up to 3.2 cross site scripting (EUVD-2012-6576 / EDB-23225)
A vulnerability labeled as problematic has been found in Maxthon International Maxthon3 Browser up to 3.2. The affected element is the function maxthon.program.Program.launch/maxthon.io.writeDataURL. Executing a manipulation can lead to cross site scripting.
The identification of this vulnerability is CVE-2012-10032. The attack may be launched remotely. Furthermore, there is an exploit available.
The affected component should be upgraded.
GHSA
GHSA-46wv-96pg-j3fc: Maxthon3 versions prior to 3
ghsa_unreviewed·2025-08-05
CVE-2012-10032 [HIGH] CWE-79 GHSA-46wv-96pg-j3fc: Maxthon3 versions prior to 3
Maxthon3 versions prior to 3.3 are vulnerable to cross context scripting (XCS) via the about:history page. The browser’s trusted zone improperly handles injected script content, allowing attackers to execute arbitrary JavaScript in a privileged context. This flaw enables modification of browser configuration and execution of arbitrary code through Maxthon’s exposed DOM APIs, including maxthon.program.Program.launch() and maxthon.io.writeDataURL(). Exploitation requires user interaction, typically by visiting a malicious webpage that triggers the injection.
No detection rules found.
No writeups or analysis indexed.
http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.htmlhttps://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/browser/maxthon_history_xcs.rbhttps://www.exploit-db.com/exploits/23225https://www.fortiguard.com/encyclopedia/ips/34203https://www.maxthon.com/https://www.vulncheck.com/advisories/maxthon3-xcs-trusted-zone-code-exechttps://www.exploit-db.com/exploits/23225
2025-08-05
Published