lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 11 Dec 2012 13:29:26 +0100
From: Roberto Suggi Liverani <>
To: bugtraq <>
Subject: Multiple critical vulnerabilities in Maxthon and Avant browsers


Below you can find a short summary of discovered vulnerabilities in
Maxthon and Avant browsers.
Such vulnerabilities were demonstrated during HITBAMS2012 security
conference and more recently at HackPra.

Affected Products

- Maxthon (
- Avant Browser (

Security advisories

- [advisory] Maxthon multiple vulnerabilities:
- [advisory] Avant multiple vulnerabilities:

Individual security advisories, exploit modules and video links can be
found below.

[1] Maxthon - Cross Context Scripting - about: history - Remote Code Execution

[metasploit module]

[2] Maxthon - Cross Context Scripting (XCS) - RSS - Remote Code Execution

[metasploit module]

[3] Maxthon - Privileged APIs on


[4] Maxthon - Cross Context Scripting (XCS) - Bookmark Toolbar and
Bookmark Sidebar - Code Execution


[5] Maxthon - Incorrect Executable File Handling and Same Origin
Policy Implementation


[6] Avant Browser - Same of Origin Policy Bypass - browser:home

[BeEF module]

[7] Avant Browser - Stored Cross Site Scripting - Feed Reader


[8] Avant Browser - Cross Context Scripting - browser:home - Most
Visited And History Tabs



[presentation] HITBAMS2012 - Window Shopping: Browser Bugs Hunting in
2012 -
[presentation] HackPra - Cross Context Scripting attacks &
exploitation -

Any further material, comments or updates will be communicated over
Twitter, at

Roberto Suggi Liverani

Powered by blists - more mailing lists