CVE-2020-6506 – react-native-webview

Package

Manager: npm
Name: react-native-webview
Vulnerable Version: >=0 <=10.10.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00533 pctl0.66387

Details

Android WebView Universal Cross-site Scripting A universal cross-site scripting (UXSS) vulnerability, CVE-2020-6506 (https://crbug.com/1083819), has been identified in the Android WebView system component, which allows cross-origin iframes to execute arbitrary JavaScript in the top-level document. This vulnerability affects React Native apps which use a `react-native-webview` that allows navigation to arbitrary URLs, and when that app runs on systems with an Android WebView version prior to 83.0.4103.106. ## Pending mitigation Ensure users update their Android WebView system component via the Google Play Store to 83.0.4103.106 or higher to avoid this UXSS. 'react-native-webview' is working on a mitigation but it could take some time. ### References https://alesandroortiz.com/articles/uxss-android-webview-cve-2020-6506/

Metadata

Created: 2020-10-02T16:22:41Z
Modified: 2022-08-03T23:40:07Z
Source: MANUAL
CWE IDs: ["CWE-79", "CWE-863"]
Alternative ID: GHSA-36j3-xxf7-4pqg
Finding: F008
Auto approve: 1