cbcvebase.
CVE-2012-6636
published 2014-03-03

CVE-2012-6636: The Android API before 17 does not properly restrict the WebView.addJavascriptInterface method, which allows remote attackers to execute arbitrary methods of…

PriorityP262medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
41.36%
98.5th percentile
The Android API before 17 does not properly restrict the WebView.addJavascriptInterface method, which allows remote attackers to execute arbitrary methods of Java objects by using the Java Reflection API within crafted JavaScript code that is loaded into the WebView component in an application targeted to API level 16 or earlier, a related issue to CVE-2013-4710.

Affected

34 ranges· showing 25
VendorProductVersion rangeFixed in
adobeadobe_reader<= 11.1.3
adobeadobe_reader
boatmobboat_browser
boatmobboat_browser
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid_api<= 16.0
googleandroid_api
googleandroid_api
googleandroid_api
googleandroid_api
googleandroid_api
googleandroid_api

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/android/browser/webview_addjavascriptinterface.rb
urlhttps://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py
  • Detect exploitation attempts by monitoring HTTP responses serving JavaScript that references Java Reflection API calls (e.g., getClass, forName, getMethod, invoke) delivered to Android WebView clients with API level 16 or earlier.
  • Flag HTTP requests from Android user-agents where the response URI path ends in a random 5-character alpha string followed by '.js' with an 'arch' query parameter (e.g., /[a-z]{5}.js?arch=), as this matches the Metasploit module's static JS delivery mechanism for arch-specific payloads.
  • Monitor for JavaScript in web content that reads navigator.platform and dynamically injects a <script> tag with an 'arch' query parameter — a fingerprinting step used by the exploit to select the correct architecture-specific payload.
  • Alert on MITM scenarios where HTTP traffic to/from Android WebViews is intercepted and HTML/JS content is injected, particularly targeting ad-integration WebViews or persistent XSS vectors in apps targeting API level 16 or earlier.
  • The Google APIs 4.1.2 Android Browser app is a known vulnerable target; flag exploitation attempts specifically targeting this browser version.
  • ·The vulnerability only affects Android API level 16 (Android < 4.2) and earlier; devices running API level 17 or higher are not affected by this specific issue.
  • ·The exploit requires JavaScript to be enabled in the targeted WebView; detection and blocking of JavaScript execution in untrusted WebViews mitigates the attack surface.
  • ·The Metasploit module supports multiple architectures (ARCH_DALVIK, ARCH_X86, ARCH_ARMLE, ARCH_MIPSLE); detection rules should account for arch-specific payload variants, not just ARM.
  • ·A related CVE (CVE-2013-4710) covers the native browser's searchBoxJavaBridge_ addJavascriptInterface call; detections for CVE-2012-6636 may need to be extended to cover that variant as well.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.