Japanese version is also available.


The security vulnerability discovered in GreaseKit and Creammonkey, which can be exploited by malicious people to send a (cross-site) HTTP request, or read/write configuration values. Please upgrade to GreaseKit 1.4.

Affected Software Versions

To verify the version number,


Launch Safari and from the ":)" menu, choose "About Creammonkey".


Launch Safari (or GreaseKit-enabled application) and from the "GreaseKit" or ":)" menu, choose "About GreaseKit".


The vulnerability has been fixed in GreaseKit 1.4 by reducing the functionality.


GreaseKit provides 6 functions (GM_addStyle, GM_log, GM_openInTab, GM_setValue, GM_getValue and GM_xmlhttpRequest) for userscript. For security reason, these functions are not callable from a web page.

However, the vulnerability could allow an attacker to execute these functions from a web page. Successful exploitation requires that a userscript is configured to run on the malicious web page.


KATO Kazuyoshi <kzys@8-p.info>