Description
Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL.
Remediation
References
http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-apache-vulnerability-that-allows-one-click-modification-of-android-apps/
http://www.securityfocus.com/bid/74866
https://cordova.apache.org/announcements/2015/05/26/android-402.html
Related Vulnerabilities
CVE-2020-28438 Vulnerability in npm package deferred-exec
CVE-2023-45648 Vulnerability in maven package org.apache.tomcat:tomcat
CVE-2020-7704 Vulnerability in npm package linux-cmdline
CVE-2018-3732 Vulnerability in npm package resolve-path
CVE-2020-28469 Vulnerability in maven package org.webjars.bowergithub.es128:glob-parent