CVE-2012-4905

Google Chrome < 18.0.1025306 - Cross-Site Scripting via Intent Extra

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-4905. PoCs published by Artem Chaykin.

AI-analyzed exploit summary This exploit leverages a vulnerability in Google Chrome for Android to inject JavaScript into a target webpage, allowing the theft of cookie-based authentication credentials. It uses Android Intents to manipulate Chrome's behavior and bypass the same-origin policy.

Description

Cross-site scripting (XSS) vulnerability in Google Chrome before 18.0.1025308 on Android allows remote attackers to inject arbitrary web script or HTML via an extra in an Intent object, aka "Universal XSS (UXSS)."

Exploits (1)

exploitdb WORKING POC VERIFIED

by Artem Chaykin · textremoteandroid

https://www.exploit-db.com/exploits/37792

View Code ZIP pw:eip

This exploit leverages a vulnerability in Google Chrome for Android to inject JavaScript into a target webpage, allowing the theft of cookie-based authentication credentials. It uses Android Intents to manipulate Chrome's behavior and bypass the same-origin policy.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Google Chrome for Android < 18.0.1025308

No auth needed

Prerequisites: Android device with vulnerable Chrome version · Ability to execute arbitrary Android applications

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Issue Tracking x_refsource_confirm

https://code.google.com/p/chromium/issues/detail?id=144813

Vendor Advisory x_refsource_confirm

http://googlechromereleases.blogspot.com/2012/09/chrome-for-android-update.html

Scores

EPSS 0.0155

EPSS Percentile 72.0%

Details

CWE

CWE-79

Status published

Products (1)

google/chrome < 18.0.1025306

Published Sep 13, 2012

Tracked Since Feb 18, 2026