cbcvebase.
CVE-2013-4710
published 2014-03-03

CVE-2013-4710: Android 3.0 through 4.1.x on Disney Mobile, eAccess, KDDI, NTT DOCOMO, SoftBank, and other devices does not properly implement the WebView class, which allows…

PriorityP265critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
42.62%
98.5th percentile
Android 3.0 through 4.1.x on Disney Mobile, eAccess, KDDI, NTT DOCOMO, SoftBank, and other devices does not properly implement the WebView class, which allows remote attackers to execute arbitrary methods of Java objects or cause a denial of service (reboot) via a crafted web page, as demonstrated by use of the WebView.addJavascriptInterface method, a related issue to CVE-2012-6636.

Affected

30 ranges· showing 25
VendorProductVersion rangeFixed in
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid_api<= 16.0
googleandroid_api
googleandroid_api
googleandroid_api
googleandroid_api
googleandroid_api
googleandroid_api
googleandroid_api
googleandroid_api
googleandroid_api
googleandroid_api

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/
urlhttps://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/
urlhttps://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py
urlhttps://github.com/jduck/VulnWebView/
  • Vulnerability check JS: enumerate all objects in `top` and attempt to call `.getClass().forName('java.lang.Runtime')` — success indicates a vulnerable addJavascriptInterface object is exposed in the WebView context.
  • Exploit JS pattern: attacker uses Java Reflection via `getClass().forName('java.lang.Runtime').getMethod('getRuntime', null)` inside injected JavaScript to obtain a Runtime instance and execute OS commands.
  • MITM / persistent XSS vector: if an attacker can intercept the WebView's HTTP connection or inject persistent XSS into the page loaded by the WebView, they can inject the exploit HTML/JS and obtain a shell.
  • The native Android Browser is vulnerable via the `searchBoxJavaBridge_` interface; the Google APIs 4.1.2 release of Android Browser is a confirmed vulnerable target.
  • Arch-detection JS fingerprinting: exploit JS probes `navigator.platform` with regexes `/arm/i`, `/mips/i`, `/x86/i` to select the correct payload binary — detect this pattern in injected scripts.
  • Approximately 90% of analyzed Android e-commerce apps contained this WebView RCE vulnerability; prioritize scanning APKs for `addJavascriptInterface` usage on API level 16 or earlier targets.
  • ·The vulnerability only affects Android API level 16 (Android < 4.2) and earlier; applications targeting API level 17+ are not affected by this specific issue.
  • ·Ad integrations in Android apps are highlighted as a particularly high-risk attack surface because they commonly use WebViews with addJavascriptInterface, making MITM against ad traffic a viable exploitation path.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.