Published:2007/12/26  Last Updated:2008/05/21

GreaseKit and Creammonkey allows execution of userscript functions


GreaseKit and Creammonkey contains a vulnerability that can be exploited to execute functions for userscripts.

Products Affected

  • GreaseKit 1.2 through 1.3
  • Creammonkey 0.9 through 1.1
GreaseKit is the successor to Creammonkey.


GreaseKit and Creammonkey are plugins that enable user scripting to Safari and other Apple Webkit applications, and they provide APIs callable only from userscripts.
GreaseKit and Creammonkey are vulnerable in allowing APIs called from a web page.


When a user views a specially crafted web page, a remote attacker can read or modify the configuration, or send HTTP requests to arbitrary websites via the above functions, within the web page on which a userscript is configured to run.


Update the Software
Apply the latest update provided by the developer.
If you use Creammonkey, we recommend that you upgrade to the latest version of its successor GreaseKit, available from the developer's website.

Vendor Status

Vendor Status Last Update Vendor Notes
Kazuyoshi Kato Vulnerable 2007/12/26


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2007.12.26

Measures Conditions Severity
Access Required Routed - can be attacked over the Internet using packets
  • High
Authentication None - anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required Simple - the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file
  • Medium
Exploit Complexity Low - little to no expertise and/or luck required to exploit (cross-site scripting)
  • High

Description of each analysis measures


Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
JVN iPedia JVNDB-2007-000824

Update History