CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1CVE-2015-1835 – Apache Cordova on Android Unintended Behavior
https://notcve.org/view.php?id=CVE-2015-1835
28 May 2015 — Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL. Apache Cordova Android en versiones anteriores a la 3.7.2 y versiones 4.x anteriores a la 4.0.2, cuando una aplicación no establece valores explícitos en config.xml, permite que atacantes remotos modifiquen variables de configuración secundarias no definidas (preferencia... • http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-apache-vulnerability-that-allows-one-click-modification-of-android-apps • CWE-20: Improper Input Validation •
CVSS: 6.4EPSS: 1%CPEs: 1EXPL: 0CVE-2014-3500 – Apache Cordova Bypass / Information Disclosure / Insertion
https://notcve.org/view.php?id=CVE-2014-3500
05 Aug 2014 — Apache Cordova Android before 3.5.1 allows remote attackers to change the start page via a crafted intent URL. Vulnerabilidad en la aplicación Apache Cordova para Android en versiones inferiores a la 3.5.1 permite a atacantes remotos cambiar la página de inicio a través de URL manipuladas. Apache Cordova versions up to 3.5.0 suffer from information disclosure, whitelist bypass, and cross application issues. • http://cordova.apache.org/announcements/2014/08/04/android-351.html • CWE-17: DEPRECATED: Code •
CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 0CVE-2014-3501 – Apache Cordova Bypass / Information Disclosure / Insertion
https://notcve.org/view.php?id=CVE-2014-3501
05 Aug 2014 — Apache Cordova Android before 3.5.1 allows remote attackers to bypass the HTTP whitelist and connect to arbitrary servers by using JavaScript to open WebSocket connections through WebView. Apache Cordova Android anterior a 3.5.1 permite a atacantes remotos saltar la whitelist de HTTP y conectarse a servidores arbitrarios usando JavaScript para abrir las conexiones de WebSocket a través de WebView. Apache Cordova versions up to 3.5.0 suffer from information disclosure, whitelist bypass, and cross application... • http://cordova.apache.org/announcements/2014/08/04/android-351.html • CWE-254: 7PK - Security Features •
CVSS: 4.3EPSS: 1%CPEs: 1EXPL: 0CVE-2014-3502 – Apache Cordova Bypass / Information Disclosure / Insertion
https://notcve.org/view.php?id=CVE-2014-3502
05 Aug 2014 — Apache Cordova Android before 3.5.1 allows remote attackers to open and send data to arbitrary applications via a URL with a crafted URI scheme for an Android intent. Apache Cordova Android anterior a 3.5.1 permite a atacantes remotos abrir y enviar datos a aplicaciones arbitrarias a través una URL con un esquema URI manipulado para un intento Android. Android applications built with the Cordova framework can launch other applications through the use of anchor tags, or by redirecting the webview to an Andro... • http://cordova.apache.org/announcements/2014/08/04/android-351.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 0CVE-2014-0072 – Apache Cordova 2.9.0 File-Transfer Insecure Defaults
https://notcve.org/view.php?id=CVE-2014-0072
05 Mar 2014 — ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin (org.apache.cordova.file-transfer) before 0.4.2 for iOS and the File-Transfer plugin for iOS from Cordova 2.4.0 through 2.9.0 might allow remote attackers to spoof SSL servers by leveraging a default value of true for the trustAllHosts option. ios/CDVFileTransfer.m en el plugin independiente Apache Cordova File-Transfer (org.apache.cordova.file-transfer) en versiones anteriores a la 0.4.2 para iOS y el plugin File-Transfer para iOS ... • http://d3adend.org/blog/?p=403 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 11%CPEs: 2EXPL: 0CVE-2014-0073 – Apache Cordova 2.9.0 Privilege Escalation
https://notcve.org/view.php?id=CVE-2014-0073
04 Mar 2014 — The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0 through 2.9.0 does not properly validate callback identifiers, which allows remote attackers to execute arbitrary JavaScript in the host page and consequently gain privileges via a crafted gap-iab: URI. La clase CDVInAppBrowser en el plugin independiente Apache Cordova In-App-Browser (org.apache.cordova.inappbrowser) ... • http://d3adend.org/blog/?p=403 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.1EPSS: 7%CPEs: 29EXPL: 0CVE-2014-1882
https://notcve.org/view.php?id=CVE-2014-1882
03 Mar 2014 — Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier allow remote attackers to bypass intended device-resource restrictions of an event-based bridge via a crafted library clone that leverages IFRAME script execution and directly accesses bridge JavaScript objects, as demonstrated by certain cordova.require calls. Apache Cordova 3.3.0 y anteriores y Adobe PhoneGap 2.9.0 y anteriores permiten a atacantes remotos evadir restricciones "device-resource" de un puente basado en eventos a través de... • http://openwall.com/lists/oss-security/2014/02/07/9 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 2%CPEs: 33EXPL: 1CVE-2014-1884
https://notcve.org/view.php?id=CVE-2014-1884
03 Mar 2014 — Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier on Windows Phone 7 and 8 do not properly restrict navigation events, which allows remote attackers to bypass intended device-resource restrictions via content that is accessed (1) in an IFRAME element or (2) with the XMLHttpRequest method by a crafted application. Apache Cordova 3.3.0 y anteriores y Adobe PhoneGap 2.9.0 y anteriores en Windows Phone 7 y 8 no restringen debidamente eventos de navegación, lo que permite a atacantes remotos ... • http://openwall.com/lists/oss-security/2014/02/07/9 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 7%CPEs: 29EXPL: 1CVE-2014-1881
https://notcve.org/view.php?id=CVE-2014-1881
03 Mar 2014 — Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier allow remote attackers to bypass intended device-resource restrictions of an event-based bridge via a crafted library clone that leverages IFRAME script execution and waits a certain amount of time for an OnJsPrompt handler return value as an alternative to correct synchronization. Apache Cordova 3.3.0 y anteriores y Adobe PhoneGap 2.9.0 y anteriores permiten a atacantes remotos evadir restricciones "device-resource" de un puente basado e... • http://openwall.com/lists/oss-security/2014/02/07/9 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 1%CPEs: 29EXPL: 1CVE-2012-6637
https://notcve.org/view.php?id=CVE-2012-6637
03 Mar 2014 — Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier do not anchor the end of domain-name regular expressions, which allows remote attackers to bypass a whitelist protection mechanism via a domain name that contains an acceptable name as an initial substring. Apache Cordova 3.3.0 y anteriores y Adobe PhoneGap 2.9.0 y anteriores no identifican las expresiones regulares del final de un nombre de dominio, lo que permite a atacantes remotos evadir un mecanismo de protección de lista blanca a tr... • http://labs.mwrinfosecurity.com/blog/2012/04/30/building-android-javajavascript-bridges • CWE-20: Improper Input Validation •