uzbl 'eval_js' Function Arbitrary Script Injection Vulnerability

Bugtraq ID:	39149
Class:	Input Validation Error
CVE:	CVE-2010-0011
Remote:	Yes
Local:	No
Published:	Jan 05 2010 12:00AM
Updated:	Jan 05 2010 12:00AM
Credit:	Simon Lipp
Vulnerable:	uzbl Uzbl 0
Not Vulnerable:

uzbl 'eval_js' Function Arbitrary Script Injection Vulnerability

Uzbl is prone to an arbitrary script-injection vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this issue to execute arbitrary script code within the context of the application.

uzbl 'eval_js' Function Arbitrary Script Injection Vulnerability

To launch an attack, an attacker must trick a victim into viewing a malicious website.

uzbl 'eval_js' Function Arbitrary Script Injection Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].

uzbl 'eval_js' Function Arbitrary Script Injection Vulnerability

References:

• 2010.01.05: Nasty security bug (Uzbl)
  
• 2010.03.14: mouse pointer events, http auth handler, uzbl-tabbed improvements, . (uzbl)
  
• uzbl Homepage (uzbl)