[Japanese]

JVNDB-2007-000824

GreaseKit and Creammonkey allows execution of userscript functions

Overview

GreaseKit and Creammonkey contains a vulnerability that can be exploited to execute functions for userscripts.

GreaseKit and Creammonkey are plugins that enable user scripting to Safari and other Apple Webkit applications, and they provide APIs callable only from userscripts.
GreaseKit and Creammonkey are vulnerable in allowing APIs called from a web page.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


KATO Kazuyoshi
  • Creammonkey 0.9 through 1.1
  • GreaseKit 1.2 through 1.3

Impact

When a user views a specially crafted web page, a remote attacker can read or modify the configuration, or send HTTP requests to arbitrary websites via the above functions, within the web page on which a userscript is configured to run.
Solution

[Update the Software]
Apply the latest update provided by the developer.
If you use Creammonkey, we recommend that you upgrade to the latest version of its successor GreaseKit, available from the developer's website.
Vendor Information

KATO Kazuyoshi
CWE (What is CWE?)

  1. Permissions(CWE-264) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2007-6640
References

  1. JVN : JVN#33044255
  2. National Vulnerability Database (NVD) : CVE-2007-6640
  3. Secunia Advisory : SA28241
  4. ISS X-Force Database : 39272
Revision History

  • [2008/05/21]
      Web page published

Date Public2007/12/26
Date First Published2008/05/21
Date Last Updated2008/05/21