Description

Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL.

Remediation

References

https://cordova.apache.org/announcements/2015/05/26/android-402.html

http://www.securityfocus.com/bid/74866

http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-apache-vulnerability-that-allows-one-click-modification-of-android-apps/

Related Vulnerabilities

CVE-2022-36910 Vulnerability in maven package org.jenkins-ci.plugins:lucene-search

CVE-2020-26296 Vulnerability in maven package org.webjars.bower:vega

CVE-2022-35912 Vulnerability in maven package org.grails:grails-databinding

CVE-2017-1000353 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2019-10350 Vulnerability in maven package org.jenkins-ci.plugins:port-allocator

Severity

Medium

Classification

CWE-20 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Tags

Release Notes Vendor Advisory Third Party Advisory VDB Entry Exploit Technical Description