Awesome Open Source
Awesome Open Source

uxss-db

Star the repo, if it was useful for you .

Any help is highly appreciated, check TODO!

Inspired by js-vuln-db

For memory bugs, exploits and other: check awesome-browser-exploit

You can extract js-vuln-db CVEs to .html/.js files using Scripts

Intro

Some CVE ids were not found:

Version field has "?" symbol, if a version wasn't attached to the report

NOTE: Many CVEs aren't listed in the tables below!

Check /other folder = unsorted/unknown/duplicated CVEs and vulnerabilities for less popular browsers

Webkit

CVE/id title version date
CVE-2017-7089 UXSS via parent-tab:// 10? Sep 20, 2017
CVE-2017-7037 UXSS via JSObject::putInlineSlow and JSValue::putToPrimitive 10? Mar 10 2017
0-1197 WebKit: UXSS via CachedFrameBase::restore 10? Mar 17 2017
CVE-2017-2528 UXSS: CachedFrame doesn't detach openers 10? Mar 10 2017
0-1163 UXSS via Document::prepareForDestruction and CachedFrame 10? Mar 3 2017
CVE-2017-2510 UXSS: enqueuePageshowEvent and enqueuePopstateEvent don't enqueue, but dispatch 10? Feb 27 2017
CVE-2017-2508 UXSS via ContainerNode::parserInsertBefore 10? Feb 24 2017
0-1134 UXSS via ContainerNode::parserRemoveChild (2) 10? Feb 17 2017
0-1132 UXSS: the patch of #1110 made another bug 10 Feb 16 2017
CVE-2017-2504 UXSS via Editor::Command::execute 10.0.3 Feb 16 2017
CVE-2017-2493 UXSS through HTMLObjectElement::updateWidget 10.0.3 Feb 9 2017
CVE-2017-2480 UXSS via a synchronous page load 10.0.3 Feb 9 2017
CVE-2017-2479 UXSS via a focus event and a link element 10.0.3 Feb 9 2017
CVE-2017-2475 UXSS via ContainerNode::parserRemoveChild 10.0.3 Feb 2 2017
CVE-2017-2468 Use-After-Free via Document::adoptNode 10.0.3 Jan 23 2017
0-1094 UXSS via operationSpreadGeneric 10.0.2 Jan 20 2017
0-1084 UXSS via PrototypeMap::createEmptyStructure 10.0.2 Jan 17 2017
CVE-2017-2445 UXSS via disconnectSubframes 10.0.2 Jan 9 2017
CVE-2017-2442 UXSS with JSCallbackData 10.0.2 Jan 3 2017
CVE-2017-2367 UXSS by accessing a named property from an unloaded window 10.0.2 Dec 23 2016
CVE-2017-2365 UXSS via Frame::setDocument 10.0.2 Dec 20 2016
CVE-2017-2364 UXSS via Frame::setDocument (1). 10.0.2 Dec 20 2016
CVE-2017-2363 UXSS via FrameLoader::clear 10.0.2 Dec 19 2016

Chromium

CVE/id title version date
CVE-2018-6128 UXSS via URL parsing bug 66 May 9 2018
CVE-2017-5124 UXSS with MHTML 61 Oct 20 2017
cr-687844 window.external leaks global object + cross origin script access 57 Feb 2 2017
CVE-2017-5007 UXSS through bypassing ScopedPageSuspender with closing windows 55 Dec 5 2016
cr-656274 Cross-origin object leak via fetch 56 (canary) Oct 15 2016
cr-594383 UXSS via window.open() via file:// pages 54 Oct 15 2016
CVE-2016-5207 UXSS via fullscreen element updates 54 Oct 14 2016
CVE-2016-5204 UXSS by intercepting a UA shadow tree 52 Jul 24 2016
CVE-2016-1676 Persistent UXSS via SchemaRegistry 50 Apr 19 2016
CVE-2016-1667 UXSS through adopting image elements 50 Apr 21 2016
CVE-2016-1674 UXSS via the interception of Binding with Object.prototype.create 49 Mar 26 2016
CVE-2016-1673 UXSS using a FrameNavigationDisabler bypass 49 Mar 24 2016
cr-583445 UXSS in DocumentLoader::createWriterFor 48 Feb 2 2016
CVE-2016-1631 UXSS using Flash message loop 47 Dec 14 2015
CVE-2015-6770 UXSS using document.adoptNode 45 Oct 8 2015
CVE-2015-6769 UXSS via the unload_event module 45 Sep 22 2015
CVE-2015-6765 UXSS via ContainerNode::parserInsertBefore 44 Aug 11 2015
CVE-2015-1268 UXSS using IDBKeyRange static methods 43 May 31 2015
CVE-2014-1747 UXSS via local MHTML files 35 Dec 25 2013
CVE-2014-1701 UXSS via dispatchEvent on iframes 32 Feb 11 2014
CVE-2011-2856 Arbitrary cross-origin bypass using __defineGetter__ prototype override 15 Aug 18 2011
CVE-2011-3243 Universal XSS using contentWindow.eval 12 May 24 2011
CVE-2011-1438 bypass SOP with blob: 11 Mar 2 2011
cr-74372 chrome://blob-internals/ XSS 11 Feb 28 2011
cr-37383 javascript: url with a leading NULL byte can bypass cross origin protection. ? Mar 4 2010

IE/Edge

CVE/id version/date reporter
CVE-2015-0072, alternative PoC

Articles

Whitepapers

Browser hacking guides and design docs

Firefox

Tor

Brave

Chromium

Webkit

Electron

Specs

Bounties

Misc

Scripts

  # Export `js-vuln-db` repo CVEs to html
  bash ./scripts/js-vuln-db-to-format.sh html
  # Export `js-vuln-db` repo CVEs to js
  bash ./scripts/js-vuln-db-to-format.sh js

Author

Vladimir Metnew mailto:[email protected]

LICENSE

MIT

TODO

Related Awesome Lists
Top Programming Languages
Top Projects

Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
Javascript (1,058,025
Security (31,689
Vulnerability (15,544
Origin (4,602
Chromium (2,716
Cve (2,409
Webkit (2,189
Bypass (2,009
Xss (1,734
Brave (550