Home

Awesome

uxss-db 🔪

Star the repo, if it was useful for you ⭐️.

Any help is highly appreciated, 🙏 check TODO!

Inspired by js-vuln-db

For memory bugs, exploits and other: check awesome-browser-exploit

You can extract js-vuln-db CVEs to .html/.js files using Scripts

Intro

Some CVE ids were not found:

Version field has "?" symbol, if a version wasn't attached to the report

NOTE: Many CVEs aren't listed in the tables below!

Check /other folder = unsorted/unknown/duplicated CVEs and vulnerabilities for less popular browsers

Webkit

CVE/idtitleversiondate
CVE-2017-7089UXSS via parent-tab://10?Sep 20, 2017
CVE-2017-7037UXSS via JSObject::putInlineSlow and JSValue::putToPrimitive10?Mar 10 2017
0-1197WebKit: UXSS via CachedFrameBase::restore10?Mar 17 2017
CVE-2017-2528UXSS: CachedFrame doesn't detach openers10?Mar 10 2017
0-1163UXSS via Document::prepareForDestruction and CachedFrame10?Mar 3 2017
CVE-2017-2510UXSS: enqueuePageshowEvent and enqueuePopstateEvent don't enqueue, but dispatch10?Feb 27 2017
CVE-2017-2508UXSS via ContainerNode::parserInsertBefore10?Feb 24 2017
0-1134UXSS via ContainerNode::parserRemoveChild (2)10?Feb 17 2017
0-1132UXSS: the patch of #1110 made another bug10Feb 16 2017
CVE-2017-2504UXSS via Editor::Command::execute10.0.3Feb 16 2017
CVE-2017-2493UXSS through HTMLObjectElement::updateWidget10.0.3Feb 9 2017
CVE-2017-2480UXSS via a synchronous page load10.0.3Feb 9 2017
CVE-2017-2479UXSS via a focus event and a link element10.0.3Feb 9 2017
CVE-2017-2475UXSS via ContainerNode::parserRemoveChild10.0.3Feb 2 2017
CVE-2017-2468Use-After-Free via Document::adoptNode10.0.3Jan 23 2017
0-1094UXSS via operationSpreadGeneric10.0.2Jan 20 2017
0-1084UXSS via PrototypeMap::createEmptyStructure10.0.2Jan 17 2017
CVE-2017-2445UXSS via disconnectSubframes10.0.2Jan 9 2017
CVE-2017-2442UXSS with JSCallbackData10.0.2Jan 3 2017
CVE-2017-2367UXSS by accessing a named property from an unloaded window10.0.2Dec 23 2016
CVE-2017-2365UXSS via Frame::setDocument10.0.2Dec 20 2016
CVE-2017-2364UXSS via Frame::setDocument (1).10.0.2Dec 20 2016
CVE-2017-2363UXSS via FrameLoader::clear10.0.2Dec 19 2016

Chromium

CVE/idtitleversiondate
CVE-2018-6128UXSS via URL parsing bug66May 9 2018
CVE-2017-5124UXSS with MHTML61Oct 20 2017
cr-687844window.external leaks global object + cross origin script access57Feb 2 2017
CVE-2017-5007UXSS through bypassing ScopedPageSuspender with closing windows55Dec 5 2016
cr-656274Cross-origin object leak via fetch56 (canary)Oct 15 2016
cr-594383UXSS via window.open() via file:// pages54Oct 15 2016
CVE-2016-5207UXSS via fullscreen element updates54Oct 14 2016
CVE-2016-5204UXSS by intercepting a UA shadow tree52Jul 24 2016
CVE-2016-1676Persistent UXSS via SchemaRegistry50Apr 19 2016
CVE-2016-1667UXSS through adopting image elements50Apr 21 2016
CVE-2016-1674UXSS via the interception of Binding with Object.prototype.create49Mar 26 2016
CVE-2016-1673UXSS using a FrameNavigationDisabler bypass49Mar 24 2016
cr-583445UXSS in DocumentLoader::createWriterFor48Feb 2 2016
CVE-2016-1631UXSS using Flash message loop47Dec 14 2015
CVE-2015-6770UXSS using document.adoptNode45Oct 8 2015
CVE-2015-6769UXSS via the unload_event module45Sep 22 2015
CVE-2015-6765UXSS via ContainerNode::parserInsertBefore44Aug 11 2015
CVE-2015-1268UXSS using IDBKeyRange static methods43May 31 2015
CVE-2014-1747UXSS via local MHTML files35Dec 25 2013
CVE-2014-1701UXSS via dispatchEvent on iframes32Feb 11 2014
CVE-2011-2856Arbitrary cross-origin bypass using __defineGetter__ prototype override15Aug 18 2011
CVE-2011-3243Universal XSS using contentWindow.eval12May 24 2011
CVE-2011-1438bypass SOP with blob:11Mar 2 2011
cr-74372chrome://blob-internals/ XSS11Feb 28 2011
cr-37383javascript: url with a leading NULL byte can bypass cross origin protection.?Mar 4 2010

IE/Edge

CVE/idversion/datereporter
CVE-2015-0072, alternative PoC

Articles

Whitepapers

Browser hacking guides and design docs

Firefox

Tor

Brave

Chromium

Webkit

Electron

Specs

Bounties

Misc

Scripts

  # Export `js-vuln-db` repo CVEs to html
  bash ./scripts/js-vuln-db-to-format.sh html
  # Export `js-vuln-db` repo CVEs to js
  bash ./scripts/js-vuln-db-to-format.sh js

Author

Vladimir Metnew mailto:vladimirmetnew@gmail.com

LICENSE

MIT

TODO