Google Chrome for Android contains a flaw that allows a universal cross-site scripting (UXSS) attack. This flaw exists because the application does not validate input passed via intent extra data before returning it to the user. This may allow a malicious app to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between the browser and a web server.

Upgrade to version 18.0.1025308 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• CVE ID: 2012-4905 (see also: NVD)
• Secunia Advisory ID: 50613
• Bugtraq ID: 55523
• Related OSVDB ID: 85431 85433 85434 85435 85436
• Vendor Specific Advisory URL: http://googlechromereleases.blogspot.com/2012/09/chrome-for-android-update.html
• Packet Storm: http://packetstormsecurity.com/files/119295/Chrome-For-Android-Universal-Cross-Site-Scripting.html
• Mail List Post: http://seclists.org/bugtraq/2013/Jan/22
• Vendor Specific News/Changelog Entry: https://code.google.com/p/chromium/issues/detail?id=144813

• Takeshi Terada