Miggo Logo

CVE-2020-6506: Android WebView Universal Cross-site Scripting

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.8171%
Published
10/2/2020
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
react-native-webviewnpm<= 10.10.211.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Android WebView's default handling of window creation when multi-window support is disabled. The react-native-webview implementation prior to 11.0.0 did not enable setSupportMultipleWindows, leaving apps vulnerable to UXSS. The patched version (11.0.0) introduced explicit control via setSupportMultipleWindows prop and enabled it by default, aligning with Chromium's security fixes in Android WebView 83+.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* univ*rs*l *ross-sit* s*riptin* (UXSS) vuln*r**ility, *V*-****-**** (*ttps://*r*u*.*om/*******), **s ***n i**nti*i** in t** *n*roi* W**Vi*w syst*m *ompon*nt, w*i** *llows *ross-ori*in i*r*m*s to *x**ut* *r*itr*ry J*v*S*ript in t** top-l*v*l *o*um*nt

Reasoning

T** vuln*r**ility st*ms *rom *n*roi* W**Vi*w's ****ult **n*lin* o* win*ow *r**tion w**n multi-win*ow support is *is**l**. T** `r***t-n*tiv*-w**vi*w` impl*m*nt*tion prior to `**.*.*` *i* not *n**l* `s*tSupportMultipl*Win*ows`, l**vin* *pps vuln*r**l*