CVE-2013-4710

Android 3.0-4.1.x - Remote Code Execution via WebView.addJavascriptInterface

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2013-4710. PoCs published by Metasploit, Snip3R69.

AI-analyzed exploit summary This Metasploit module exploits a privilege escalation vulnerability in Android < 4.2's WebView component by injecting JavaScript that leverages the addJavascriptInterface method to execute arbitrary commands via Java Reflection APIs.

Description

Android 3.0 through 4.1.x on Disney Mobile, eAccess, KDDI, NTT DOCOMO, SoftBank, and other devices does not properly implement the WebView class, which allows remote attackers to execute arbitrary methods of Java objects or cause a denial of service (reboot) via a crafted web page, as demonstrated by use of the WebView.addJavascriptInterface method, a related issue to CVE-2012-6636.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotehardware

https://www.exploit-db.com/exploits/31519

View Code ZIP pw:eip

This Metasploit module exploits a privilege escalation vulnerability in Android < 4.2's WebView component by injecting JavaScript that leverages the addJavascriptInterface method to execute arbitrary commands via Java Reflection APIs.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Android Browser and WebView < 4.2

No auth needed

Prerequisites: Access to a vulnerable Android device or application using WebView with addJavascriptInterface · Ability to inject JavaScript into the WebView context

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 1 stars

by Snip3R69 · poc

https://github.com/Snip3R69/CVE-2013-4710-WebView-RCE-Vulnerability

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2013-4710, demonstrating how JavaScript in a WebView can execute arbitrary commands on Android devices via reflection. The exploit leverages the `addJavascriptInterface` method to gain RCE by accessing the `Runtime` class.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Android WebView (versions below 4.2)

No auth needed

Prerequisites: Android app with WebView using `addJavascriptInterface` · SD card read/write permissions

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

rubylocalandroid

https://www.exploit-db.com/exploits/41675

View Code ZIP pw:eip

This Metasploit module exploits a privilege escalation vulnerability in Android < 4.2's WebView component by leveraging the addJavascriptInterface method to execute arbitrary commands via Java Reflection APIs. It serves malicious JavaScript to vulnerable Android browsers or WebViews, leading to remote code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Android Browser and WebView (versions < 4.2)

No auth needed

Prerequisites: Vulnerable Android device with WebView or Browser app exposing addJavascriptInterface · Ability to deliver malicious JavaScript (e.g., via MITM, XSS, or direct browsing)

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →