• Stars
    star
    682
  • Rank 66,258 (Top 2 %)
  • Language
    HTML
  • License
    MIT License
  • Created about 7 years ago
  • Updated almost 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

🔪Browser logic vulnerabilities ☠️

uxss-db 🔪

Star the repo, if it was useful for you ⭐️.

Any help is highly appreciated, 🙏 check TODO!

Inspired by js-vuln-db

For memory bugs, exploits and other: check awesome-browser-exploit

You can extract js-vuln-db CVEs to .html/.js files using Scripts

Intro

Some CVE ids were not found:

Version field has "?" symbol, if a version wasn't attached to the report

NOTE: Many CVEs aren't listed in the tables below!

Check /other folder = unsorted/unknown/duplicated CVEs and vulnerabilities for less popular browsers

Webkit

CVE/id title version date
CVE-2017-7089 UXSS via parent-tab:// 10? Sep 20, 2017
CVE-2017-7037 UXSS via JSObject::putInlineSlow and JSValue::putToPrimitive 10? Mar 10 2017
0-1197 WebKit: UXSS via CachedFrameBase::restore 10? Mar 17 2017
CVE-2017-2528 UXSS: CachedFrame doesn't detach openers 10? Mar 10 2017
0-1163 UXSS via Document::prepareForDestruction and CachedFrame 10? Mar 3 2017
CVE-2017-2510 UXSS: enqueuePageshowEvent and enqueuePopstateEvent don't enqueue, but dispatch 10? Feb 27 2017
CVE-2017-2508 UXSS via ContainerNode::parserInsertBefore 10? Feb 24 2017
0-1134 UXSS via ContainerNode::parserRemoveChild (2) 10? Feb 17 2017
0-1132 UXSS: the patch of #1110 made another bug 10 Feb 16 2017
CVE-2017-2504 UXSS via Editor::Command::execute 10.0.3 Feb 16 2017
CVE-2017-2493 UXSS through HTMLObjectElement::updateWidget 10.0.3 Feb 9 2017
CVE-2017-2480 UXSS via a synchronous page load 10.0.3 Feb 9 2017
CVE-2017-2479 UXSS via a focus event and a link element 10.0.3 Feb 9 2017
CVE-2017-2475 UXSS via ContainerNode::parserRemoveChild 10.0.3 Feb 2 2017
CVE-2017-2468 Use-After-Free via Document::adoptNode 10.0.3 Jan 23 2017
0-1094 UXSS via operationSpreadGeneric 10.0.2 Jan 20 2017
0-1084 UXSS via PrototypeMap::createEmptyStructure 10.0.2 Jan 17 2017
CVE-2017-2445 UXSS via disconnectSubframes 10.0.2 Jan 9 2017
CVE-2017-2442 UXSS with JSCallbackData 10.0.2 Jan 3 2017
CVE-2017-2367 UXSS by accessing a named property from an unloaded window 10.0.2 Dec 23 2016
CVE-2017-2365 UXSS via Frame::setDocument 10.0.2 Dec 20 2016
CVE-2017-2364 UXSS via Frame::setDocument (1). 10.0.2 Dec 20 2016
CVE-2017-2363 UXSS via FrameLoader::clear 10.0.2 Dec 19 2016

Chromium

CVE/id title version date
CVE-2018-6128 UXSS via URL parsing bug 66 May 9 2018
CVE-2017-5124 UXSS with MHTML 61 Oct 20 2017
cr-687844 window.external leaks global object + cross origin script access 57 Feb 2 2017
CVE-2017-5007 UXSS through bypassing ScopedPageSuspender with closing windows 55 Dec 5 2016
cr-656274 Cross-origin object leak via fetch 56 (canary) Oct 15 2016
cr-594383 UXSS via window.open() via file:// pages 54 Oct 15 2016
CVE-2016-5207 UXSS via fullscreen element updates 54 Oct 14 2016
CVE-2016-5204 UXSS by intercepting a UA shadow tree 52 Jul 24 2016
CVE-2016-1676 Persistent UXSS via SchemaRegistry 50 Apr 19 2016
CVE-2016-1667 UXSS through adopting image elements 50 Apr 21 2016
CVE-2016-1674 UXSS via the interception of Binding with Object.prototype.create 49 Mar 26 2016
CVE-2016-1673 UXSS using a FrameNavigationDisabler bypass 49 Mar 24 2016
cr-583445 UXSS in DocumentLoader::createWriterFor 48 Feb 2 2016
CVE-2016-1631 UXSS using Flash message loop 47 Dec 14 2015
CVE-2015-6770 UXSS using document.adoptNode 45 Oct 8 2015
CVE-2015-6769 UXSS via the unload_event module 45 Sep 22 2015
CVE-2015-6765 UXSS via ContainerNode::parserInsertBefore 44 Aug 11 2015
CVE-2015-1268 UXSS using IDBKeyRange static methods 43 May 31 2015
CVE-2014-1747 UXSS via local MHTML files 35 Dec 25 2013
CVE-2014-1701 UXSS via dispatchEvent on iframes 32 Feb 11 2014
CVE-2011-2856 Arbitrary cross-origin bypass using __defineGetter__ prototype override 15 Aug 18 2011
CVE-2011-3243 Universal XSS using contentWindow.eval 12 May 24 2011
CVE-2011-1438 bypass SOP with blob: 11 Mar 2 2011
cr-74372 chrome://blob-internals/ XSS 11 Feb 28 2011
cr-37383 javascript: url with a leading NULL byte can bypass cross origin protection. ? Mar 4 2010

IE/Edge

CVE/id version/date reporter
CVE-2015-0072, alternative PoC

Articles

Whitepapers

Browser hacking guides and design docs

Firefox

Tor

Brave

Chromium

Webkit

Electron

Specs

Bounties

Misc

Scripts

  # Export `js-vuln-db` repo CVEs to html
  bash ./scripts/js-vuln-db-to-format.sh html
  # Export `js-vuln-db` repo CVEs to js
  bash ./scripts/js-vuln-db-to-format.sh js

Author

Vladimir Metnew mailto:[email protected]

LICENSE

MIT

TODO

More Repositories

1

suicrux

🚀 Ultimate universal starter with lazy-loading, SSR and i18n. [not maintained]
JavaScript
943
star
2

vue-element-starter

Vue starter with Element-UI [READY, unmaintained now]
JavaScript
216
star
3

neural-finance

Neural Network for HFT-trading [experimental]
Python
83
star
4

telegram-links-nsworkspace-open

Telegram (v4.9.155353) was rendering file:// links + opening them via NSWorkspace.open -> code execution.
HTML
37
star
5

write-ups

Objective-C
34
star
6

next-semantic-ui-react

Next.js + SUIR tiny starter
JavaScript
20
star
7

rce-helpviewer-parallels-for-mac

Revisiting Helpviewer.app to hack Parallels for Mac
JavaScript
17
star
8

crypto-price-prediction-projects

List of crypto price prediction ML projects
11
star
9

tiny-universal-skeleton

Alternative approach to HMR for both server with SSR and client in development.[EXPERIMENTAL EXAMPLE]
JavaScript
10
star
10

atarax

Yet another guїdё about React/Redux.
8
star
11

React-Koa-Rethink

Example app with Koa/React/RethinkDB, socket.io [ARCHIVED]
JavaScript
8
star
12

chrome-applescript

Execute downloaded file in "script editor" using Chrome.
HTML
4
star
13

webpack-pkg-plugin

Makes executables from your scripts with Webpack.
JavaScript
3
star
14

git-hash-package

Set git hash in package.json
JavaScript
2
star
15

webpack-get-code-on-done

Returns compiled code from Webpack compiler.
JavaScript
1
star
16

async-in-redux-tutorial

How to work with async actions in Redux? All approaches with pros and cons. [ will not be finished :( ]
JavaScript
1
star
17

express-socket.io-run

The simplest setup, pure Express + pure Socket.io
JavaScript
1
star
18

crypto-algorithms-for-university

Some crypto algorithms I've written from the scratch for university class.
JavaScript
1
star
19

awral

Awesome Wrapper for Redux Action's Lifecycle [IGNORE, USE PROMISE-MIDDLEWARE INSTEAD]
JavaScript
1
star
20

afaik-mach-o

Assembly
1
star
21

BinaryTrees

Binary trees tutorial
JavaScript
1
star
22

gh_run_download_git_artifacts

gh_run_download_git_artifacts
1
star
23

go-terraform-aws-gitlab-starter

1
star
24

reas

Extract pure source code from webpack-compiled script
JavaScript
1
star