6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-6506

GHSA ID

GHSA-36j3-xxf7-4pqg

EPSS Score

0.8171%

CWE

CWE-79

Published

10/2/2020

Updated

1/27/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-6506

CVE-2020-6506: Android WebView Universal Cross-site Scripting

A universal cross-site scripting (UXSS) vulnerability, CVE-2020-6506 (https://crbug.com/1083819), has been identified in the Android WebView system component, which allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. This vulnerability affects React Native apps which use a react-native-webview that allows navigation to arbitrary URLs, and when that app runs on systems with an Android WebView version prior to 83.0.4103.106.

Pending mitigation

Ensure users update their Android WebView system component via the Google Play Store to 83.0.4103.106 or higher to avoid this UXSS. 'react-native-webview' is working on a mitigation but it could take some time.

References

https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-6506

GHSA ID

GHSA-36j3-xxf7-4pqg

EPSS Score

0.8171%

CWE

CWE-79

Published

10/2/2020

Updated

1/27/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
react-native-webview	npm	<= 10.10.2	11.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Android WebView's default handling of window creation when multi-window support is disabled. The react-native-webview implementation prior to 11.0.0 did not enable setSupportMultipleWindows, leaving apps vulnerable to UXSS. The patched version (11.0.0) introduced explicit control via setSupportMultipleWindows prop and enabled it by default, aligning with Chromium's security fixes in Android WebView 83+.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* univ*rs*l *ross-sit* s*riptin* (UXSS) vuln*r**ility, *V*-****-**** (*ttps://*r*u*.*om/*******), **s ***n i**nti*i** in t** *n*roi* W**Vi*w syst*m *ompon*nt, w*i** *llows *ross-ori*in i*r*m*s to *x**ut* *r*itr*ry J*v*S*ript in t** top-l*v*l *o*um*nt

Reasoning

T** vuln*r**ility st*ms *rom *n*roi* W**Vi*w's ****ult **n*lin* o* win*ow *r**tion w**n multi-win*ow support is *is**l**. T** `r***t-n*tiv*-w**vi*w` impl*m*nt*tion prior to `**.*.*` *i* not *n**l* `s*tSupportMultipl*Win*ows`, l**vin* *pps vuln*r**l*

6.5

Basic Information

Concerned about an active attack path?

CVE-2020-6506: Android WebView Universal Cross-site Scripting

Pending mitigation

References

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI