Description

Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL.

Remediation

References

https://cordova.apache.org/announcements/2015/05/26/android-402.html

http://www.securityfocus.com/bid/74866

http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-apache-vulnerability-that-allows-one-click-modification-of-android-apps/

Related Vulnerabilities

CVE-2021-4264 Vulnerability in npm package dustjs-linkedin

CVE-2023-44487 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2023-50768 Vulnerability in maven package org.sonatype.nexus.ci:nexus-jenkins-plugin

CVE-2021-28657 Vulnerability in maven package org.apache.tika:tika-parsers

CVE-2021-32641 Vulnerability in npm package auth0-lock

Severity

Medium

Classification

CWE-20 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Tags

Release Notes Vendor Advisory Third Party Advisory VDB Entry Exploit Technical Description