Description
Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL.
Remediation
References
http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-apache-vulnerability-that-allows-one-click-modification-of-android-apps/
http://www.securityfocus.com/bid/74866
https://cordova.apache.org/announcements/2015/05/26/android-402.html
Related Vulnerabilities
CVE-2020-11023 Vulnerability in maven package org.webjars.npm:jquery
CVE-2020-25711 Vulnerability in maven package org.infinispan:infinispan-server-rest
CVE-2021-23362 Vulnerability in maven package org.webjars.npm:hosted-git-info
CVE-2022-31147 Vulnerability in maven package org.webjars:jquery-validation
CVE-2020-14966 Vulnerability in maven package org.webjars.npm:jsrsasign