CVE-2014-6041

Android Browser RCE Through Google Play Store XFO

Title source: metasploit
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2014-6041. PoCs published by Rafay Baloch, joev, including Metasploit module auxiliary/admin/android/google_play_store_uxss_xframe_rce.

AI-analyzed exploit summary This Metasploit module exploits CVE-2014-6041, a UXSS vulnerability in Android's AOSP Browser, combined with a lack of X-Frame-Options enforcement in Google Play Store error pages to achieve remote code execution by installing and launching arbitrary apps.

Description

The Android WebView in Android before 4.4 allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick="window.open('\u0000javascript: sequence to the Android Browser application 4.2.1 or a third-party web browser.

Exploits (3)

metasploit WORKING POC
by Rafay Baloch, joev · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/android/google_play_store_uxss_xframe_rce.rb

This Metasploit module exploits CVE-2014-6041, a UXSS vulnerability in Android's AOSP Browser, combined with a lack of X-Frame-Options enforcement in Google Play Store error pages to achieve remote code execution by installing and launching arbitrary apps.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Android AOSP Browser prior to 4.4
Auth required
Prerequisites: User must be logged into Google on a vulnerable browser · Target must visit attacker-controlled webpage
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by Rafay Baloch, joev · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_stock_browser_uxss.rb

This Metasploit module exploits a Universal Cross-Site Scripting (UXSS) vulnerability in Android's stock browser (CVE-2014-6041) to steal cookies and page contents. It uses iframe injection or a popup-based bypass for X-Frame-Options, executing arbitrary JavaScript in the context of targeted URLs.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Android Open Source Platform (AOSP) Browser < 4.4
No auth needed
Prerequisites: Victim must visit the attacker-controlled page · Target URLs must be accessible in the victim's browser context
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by Rafay Baloch, joev · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/android_object_tag_webview_uxss.rb

This Metasploit module exploits a Universal Cross-Site Scripting (UXSS) vulnerability in Android's stock browser and WebView components before version 4.4. It leverages the vulnerability to steal cookie data and page contents from targeted URLs by injecting malicious JavaScript.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Android Open Source Platform (AOSP) Browser and WebView components before 4.4
No auth needed
Prerequisites: Victim must visit a malicious webpage hosted by the attacker · Target URLs must not use X-Frame-Options
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (8)

Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/69548
Various Sources x_refsource_confirm
https://news.ycombinator.com/item?id=8325807
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/95693
Various Sources x_refsource_misc
https://news.ycombinator.com/item?id=8321185

Scores

EPSS 0.7756
EPSS Percentile 99.0%

Details

CWE
CWE-264
Status published
Products (1)
google/android_browser 4.2.1
Published Sep 02, 2014
Tracked Since Feb 18, 2026