Description

Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL.

Remediation

References

http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-apache-vulnerability-that-allows-one-click-modification-of-android-apps/

http://www.securityfocus.com/bid/74866

https://cordova.apache.org/announcements/2015/05/26/android-402.html

Related Vulnerabilities

CVE-2018-20822 Vulnerability in maven package org.webjars.npm:node-sass

CVE-2021-39135 Vulnerability in npm package @npmcli/arborist

CVE-2021-45457 Vulnerability in maven package org.apache.kylin:kylin-server

CVE-2020-16040 Vulnerability in npm package electron

CVE-2020-15231 Vulnerability in maven package org.mapfish.print:print-servlet

Severity

Medium

Classification

CWE-20 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Tags

Exploit Technical Description Third Party Advisory VDB Entry Release Notes Vendor Advisory