Skip to content

Latest commit

 

History

History
260 lines (208 loc) · 19.9 KB

README.md

File metadata and controls

260 lines (208 loc) · 19.9 KB

uxss-db 🔪

Star the repo, if it was useful for you ⭐️.

Any help is highly appreciated, 🙏 check TODO!

Inspired by js-vuln-db

For memory bugs, exploits and other: check awesome-browser-exploit

You can extract js-vuln-db CVEs to .html/.js files using Scripts

Intro

Some CVE ids were not found:

Version field has "?" symbol, if a version wasn't attached to the report

NOTE: Many CVEs aren't listed in the tables below!

Check /other folder = unsorted/unknown/duplicated CVEs and vulnerabilities for less popular browsers

Webkit

CVE/id title version date
CVE-2017-7089 UXSS via parent-tab:// 10? Sep 20, 2017
CVE-2017-7037 UXSS via JSObject::putInlineSlow and JSValue::putToPrimitive 10? Mar 10 2017
0-1197 WebKit: UXSS via CachedFrameBase::restore 10? Mar 17 2017
CVE-2017-2528 UXSS: CachedFrame doesn't detach openers 10? Mar 10 2017
0-1163 UXSS via Document::prepareForDestruction and CachedFrame 10? Mar 3 2017
CVE-2017-2510 UXSS: enqueuePageshowEvent and enqueuePopstateEvent don't enqueue, but dispatch 10? Feb 27 2017
CVE-2017-2508 UXSS via ContainerNode::parserInsertBefore 10? Feb 24 2017
0-1134 UXSS via ContainerNode::parserRemoveChild (2) 10? Feb 17 2017
0-1132 UXSS: the patch of #1110 made another bug 10 Feb 16 2017
CVE-2017-2504 UXSS via Editor::Command::execute 10.0.3 Feb 16 2017
CVE-2017-2493 UXSS through HTMLObjectElement::updateWidget 10.0.3 Feb 9 2017
CVE-2017-2480 UXSS via a synchronous page load 10.0.3 Feb 9 2017
CVE-2017-2479 UXSS via a focus event and a link element 10.0.3 Feb 9 2017
CVE-2017-2475 UXSS via ContainerNode::parserRemoveChild 10.0.3 Feb 2 2017
CVE-2017-2468 Use-After-Free via Document::adoptNode 10.0.3 Jan 23 2017
0-1094 UXSS via operationSpreadGeneric 10.0.2 Jan 20 2017
0-1084 UXSS via PrototypeMap::createEmptyStructure 10.0.2 Jan 17 2017
CVE-2017-2445 UXSS via disconnectSubframes 10.0.2 Jan 9 2017
CVE-2017-2442 UXSS with JSCallbackData 10.0.2 Jan 3 2017
CVE-2017-2367 UXSS by accessing a named property from an unloaded window 10.0.2 Dec 23 2016
CVE-2017-2365 UXSS via Frame::setDocument 10.0.2 Dec 20 2016
CVE-2017-2364 UXSS via Frame::setDocument (1). 10.0.2 Dec 20 2016
CVE-2017-2363 UXSS via FrameLoader::clear 10.0.2 Dec 19 2016

Chromium

CVE/id title version date
CVE-2018-6128 UXSS via URL parsing bug 66 May 9 2018
CVE-2017-5124 UXSS with MHTML 61 Oct 20 2017
cr-687844 window.external leaks global object + cross origin script access 57 Feb 2 2017
CVE-2017-5007 UXSS through bypassing ScopedPageSuspender with closing windows 55 Dec 5 2016
cr-656274 Cross-origin object leak via fetch 56 (canary) Oct 15 2016
cr-594383 UXSS via window.open() via file:// pages 54 Oct 15 2016
CVE-2016-5207 UXSS via fullscreen element updates 54 Oct 14 2016
CVE-2016-5204 UXSS by intercepting a UA shadow tree 52 Jul 24 2016
CVE-2016-1676 Persistent UXSS via SchemaRegistry 50 Apr 19 2016
CVE-2016-1667 UXSS through adopting image elements 50 Apr 21 2016
CVE-2016-1674 UXSS via the interception of Binding with Object.prototype.create 49 Mar 26 2016
CVE-2016-1673 UXSS using a FrameNavigationDisabler bypass 49 Mar 24 2016
cr-583445 UXSS in DocumentLoader::createWriterFor 48 Feb 2 2016
CVE-2016-1631 UXSS using Flash message loop 47 Dec 14 2015
CVE-2015-6770 UXSS using document.adoptNode 45 Oct 8 2015
CVE-2015-6769 UXSS via the unload_event module 45 Sep 22 2015
CVE-2015-6765 UXSS via ContainerNode::parserInsertBefore 44 Aug 11 2015
CVE-2015-1268 UXSS using IDBKeyRange static methods 43 May 31 2015
CVE-2014-1747 UXSS via local MHTML files 35 Dec 25 2013
CVE-2014-1701 UXSS via dispatchEvent on iframes 32 Feb 11 2014
CVE-2011-2856 Arbitrary cross-origin bypass using __defineGetter__ prototype override 15 Aug 18 2011
CVE-2011-3243 Universal XSS using contentWindow.eval 12 May 24 2011
CVE-2011-1438 bypass SOP with blob: 11 Mar 2 2011
cr-74372 chrome://blob-internals/ XSS 11 Feb 28 2011
cr-37383 javascript: url with a leading NULL byte can bypass cross origin protection. ? Mar 4 2010

IE/Edge

CVE/id version/date reporter
CVE-2015-0072, alternative PoC

Articles

Whitepapers

Browser hacking guides and design docs

Firefox

Tor

Brave

Chromium

Webkit

Electron

Specs

Bounties

Misc

Scripts

  # Export `js-vuln-db` repo CVEs to html
  bash ./scripts/js-vuln-db-to-format.sh html
  # Export `js-vuln-db` repo CVEs to js
  bash ./scripts/js-vuln-db-to-format.sh js

Author

Vladimir Metnew mailto:[email protected]

LICENSE

MIT

TODO