CVE-2013-4710

Android <4.1.x - RCE

Title source: llm

Description

Android 3.0 through 4.1.x on Disney Mobile, eAccess, KDDI, NTT DOCOMO, SoftBank, and other devices does not properly implement the WebView class, which allows remote attackers to execute arbitrary methods of Java objects or cause a denial of service (reboot) via a crafted web page, as demonstrated by use of the WebView.addJavascriptInterface method, a related issue to CVE-2012-6636.

Exploits (3)

nomisec WORKING POC 1 stars

by Snip3R69 · poc

https://github.com/Snip3R69/CVE-2013-4710-WebView-RCE-Vulnerability

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotehardware

https://www.exploit-db.com/exploits/31519

View Code ZIP pw:eip

exploitdb WORKING POC

rubylocalandroid

https://www.exploit-db.com/exploits/41675

View on exploitdb

References (10)

[Various Sources] http://50.56.33.56/blog/?p=314

[Various Sources] http://emobile.jp/products/sh/a01sh/systemsoftware.html

[Mailing List] http://openwall.com/lists/oss-security/2014/02/18/11

[Third Party Advisory] http://jvn.jp/en/jp/JVN53768697/113349/index.html

[Third Party Advisory] http://jvn.jp/en/jp/JVN53768697/397327/index.html

[Third Party Advisory] http://jvn.jp/en/jp/JVN53768697/995293/index.html

[Third Party Advisory] http://jvn.jp/en/jp/JVN53768697/995312/index.html

[Third Party Advisory] http://jvn.jp/en/jp/JVN53768697/995417/index.html

[Third Party Advisory] http://jvn.jp/en/jp/JVN53768697/index.html

[Third Party Advisory] http://jvndb.jvn.jp/jvndb/JVNDB-2013-000111

Scores

EPSS 0.7599

EPSS Percentile 98.9%

Classification

CWE

CWE-20

Status draft

Affected Products (14)

google/android

google/android

google/android

google/android

google/android

google/android

google/android

google/android

google/android

google/android

google/android

google/android

google/android

google/android

Timeline

Published Mar 03, 2014

Tracked Since Feb 18, 2026