Description

Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL.

Remediation

References

http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-apache-vulnerability-that-allows-one-click-modification-of-android-apps/

http://www.securityfocus.com/bid/74866

https://cordova.apache.org/announcements/2015/05/26/android-402.html

Related Vulnerabilities

CVE-2023-50709 Vulnerability in npm package @cubejs-backend/api-gateway

CVE-2020-8244 Vulnerability in maven package org.webjars.npm:bl

CVE-2017-16167 Vulnerability in npm package yyooopack

CVE-2023-37913 Vulnerability in maven package org.xwiki.platform:xwiki-platform-office-importer

CVE-2022-37616 Vulnerability in maven package org.webjars.npm:xmldom

Severity

Medium

Classification

CWE-20 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Tags

Exploit Technical Description Third Party Advisory VDB Entry Release Notes Vendor Advisory