Description

Maxthon3 versions prior to 3.3 are vulnerable to cross context scripting (XCS) via the about:history page. The browser’s trusted zone improperly handles injected script content, allowing attackers to execute arbitrary JavaScript in a privileged context. This flaw enables modification of browser configuration and execution of arbitrary code through Maxthon’s exposed DOM APIs, including maxthon.program.Program.launch() and maxthon.io.writeDataURL(). Exploitation requires user interaction, typically by visiting a malicious webpage that triggers the injection.

INFO

Published Date :

2025-08-05T20:03:14.736Z

Last Modified :

2026-04-07T14:02:29.335Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2012-10032 vulnerability.

Vendors Products
Maxthon
  • Maxthon
  • Maxthon Browser
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2012-10032.

URL Resource
http://blog.malerisch.net/2012/12/maxthon-cross-context-scripting-xcs-about-history-rce.html cve-icon cve-icon
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/browser/maxthon_history_xcs.rb cve-icon cve-icon
https://www.exploit-db.com/exploits/23225 cve-icon cve-icon cve-icon
https://www.fortiguard.com/encyclopedia/ips/34203 cve-icon cve-icon
https://www.maxthon.com/ cve-icon cve-icon
https://www.vulncheck.com/advisories/maxthon3-xcs-trusted-zone-code-exec cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability