14 results (0.008 seconds)

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

Product: Apache Cordova Android 5.2.2 and earlier. The application calls methods of the Log class. Messages passed to these methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()) are stored in a series of circular buffers on the device. By default, a maximum of four 16 KB rotated logs are kept in addition to the current log. The logged data can be read using Logcat on the device. • http://www.securityfocus.com/bid/98365 https://lists.apache.org/thread.html/1f3e7b0319d64b455f73616f572acee36fbca31f87f5b2e509c45b69%40%3Cdev.cordova.apache.org%3E • CWE-532: Insertion of Sensitive Information into Log File •

CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0

After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI is not using https, it is vulnerable to a MiTM and the Gradle executable is not safe. The severity of this issue is high due to the fact that the build scripts immediately start a build after Gradle has been fetched. Developers who are concerned about this issue should install version 6.1.2 or higher of Cordova-Android. If developers are unable to install the latest version, this vulnerability can easily be mitigated by setting the CORDOVA_ANDROID_GRADLE_DISTRIBUTION_URL environment variable to https://services.gradle.org/distributions/gradle-2.14.1-all.zip Después de añadir la plataforma Android a Cordova por primera vez o después de crear un proyecto utilizando los build scripts, los scripts recuperarán Gradle en su primera build. • http://www.securityfocus.com/bid/95838 https://cordova.apache.org/announcements/2017/01/27/android-612.html https://www.oracle.com/security-alerts/cpuapr2020.html •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

Apache Cordova iOS before 4.0.0 might allow attackers to bypass a URL whitelist protection mechanism in an app and load arbitrary resources by leveraging unspecified methods. Apache Cordova iOS en versiones anteriores a 4.0.0 podrían permitir a atacantes eludir un mecanismo de protección de lista blanca de URL en una aplicación y cargar recursos arbitrarios aprovechando métodos no especificados. • http://jvn.jp/en/jp/JVN35341085/index.html http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000058.html http://packetstormsecurity.com/files/136840/Apache-Cordova-iOS-3.9.1-Access-Bypass.html http://www.securityfocus.com/archive/1/538211/100/0/threaded http://www.securityfocus.com/bid/88764 https://cordova.apache.org/announcements/2016/04/27/security.html • CWE-254: 7PK - Security Features CWE-284: Improper Access Control •

CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0

Apache Cordova iOS before 4.0.0 allows remote attackers to execute arbitrary plugins via a link. Apache Cordova iOS en versiones anteriores a 4.0.0 permite a atacantes remotos ejecutar plugins arbitrarios a través de un enlace. • http://jvn.jp/en/jp/JVN41772178/index.html http://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000059.html http://packetstormsecurity.com/files/136839/Apache-Cordova-iOS-3.9.1-Arbitrary-Plugin-Execution.html http://www.securityfocus.com/archive/1/538210/100/0/threaded http://www.securityfocus.com/bid/88797 https://cordova.apache.org/announcements/2016/04/27/security.html • CWE-20: Improper Input Validation •

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0

Apache Cordova-Android before 3.7.0 improperly generates random values for BridgeSecret data, which makes it easier for attackers to conduct bridge hijacking attacks by predicting a value. Apache Cordova-Android en versiones anteriores a 3.7.0 genera de manera incorrecta valores aleatorios para datos BridgeSecret, lo que facilita a atacantes llevar a cabo ataques de secuestro de puente mediante la predicción de un valor. • http://packetstormsecurity.com/files/134496/Apache-Cordova-Android-3.6.4-BridgeSecret-Weak-Randomization.html http://www.securityfocus.com/archive/1/536945/100/0/threaded http://www.securityfocus.com/bid/77679 https://cordova.apache.org/announcements/2015/11/20/security.html •