Description

Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL.

Remediation

References

http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-apache-vulnerability-that-allows-one-click-modification-of-android-apps/

http://www.securityfocus.com/bid/74866

https://cordova.apache.org/announcements/2015/05/26/android-402.html

Related Vulnerabilities

CVE-2020-28438 Vulnerability in npm package deferred-exec

CVE-2023-45648 Vulnerability in maven package org.apache.tomcat:tomcat

CVE-2020-7704 Vulnerability in npm package linux-cmdline

CVE-2018-3732 Vulnerability in npm package resolve-path

CVE-2020-28469 Vulnerability in maven package org.webjars.bowergithub.es128:glob-parent

Severity

Medium

Classification

CWE-20 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Tags

Exploit Technical Description Third Party Advisory VDB Entry Release Notes Vendor Advisory