GHSA-36j3-xxf7-4pqg

Suggest an improvement
Source
https://github.com/advisories/GHSA-36j3-xxf7-4pqg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-36j3-xxf7-4pqg/GHSA-36j3-xxf7-4pqg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-36j3-xxf7-4pqg
Aliases
Published
2020-10-02T16:22:41Z
Modified
2023-11-08T04:03:56.934077Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Android WebView Universal Cross-site Scripting
Details

A universal cross-site scripting (UXSS) vulnerability, CVE-2020-6506 (https://crbug.com/1083819), has been identified in the Android WebView system component, which allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. This vulnerability affects React Native apps which use a react-native-webview that allows navigation to arbitrary URLs, and when that app runs on systems with an Android WebView version prior to 83.0.4103.106.

Pending mitigation

Ensure users update their Android WebView system component via the Google Play Store to 83.0.4103.106 or higher to avoid this UXSS. 'react-native-webview' is working on a mitigation but it could take some time.

References

https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/

Database specific
{
    "nvd_published_at": "2020-07-22T17:15:00Z",
    "cwe_ids": [
        "CWE-79",
        "CWE-863"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-10-02T16:22:01Z"
}
References

Affected packages

npm / react-native-webview

Package

Name
react-native-webview
View open source insights on deps.dev
Purl
pkg:npm/react-native-webview

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
11.0.0

Database specific

{
    "last_known_affected_version_range": "<= 10.10.2"
}