Description

Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL.

Remediation

References

http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-apache-vulnerability-that-allows-one-click-modification-of-android-apps/

http://www.securityfocus.com/bid/74866

https://cordova.apache.org/announcements/2015/05/26/android-402.html

Related Vulnerabilities

CVE-2020-8215 Vulnerability in npm package canvas

CVE-2023-3691 Vulnerability in maven package org.webjars.bowergithub.sentsin:layui

CVE-2022-23458 Vulnerability in npm package tui-grid

CVE-2021-4264 Vulnerability in npm package dustjs-linkedin

CVE-2023-25762 Vulnerability in maven package org.jenkins-ci.plugins:pipeline-build-step

Severity

Medium

Classification

CWE-20 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Tags

Exploit Technical Description Third Party Advisory VDB Entry Release Notes Vendor Advisory