CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6799 – Apache Cordova Android 5.2.2 Information Leak
https://notcve.org/view.php?id=CVE-2016-6799
09 May 2017 — Product: Apache Cordova Android 5.2.2 and earlier. The application calls methods of the Log class. Messages passed to these methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()) are stored in a series of circular buffers on the device. By default, a maximum of four 16 KB rotated logs are kept in addition to the current log. The logged data can be read using Logcat on the device. • http://www.securityfocus.com/bid/98365 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-3160 – Cordova-Android 6.1.1 Insecure Transport
https://notcve.org/view.php?id=CVE-2017-3160
28 Jan 2017 — After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI is not using https, it is vulnerable to a MiTM and the Gradle executable is not safe. The severity of this issue is high due to the fact that the build scripts immediately start a build after Gradle has been fetched. Developers who are concerned about this issue should install version 6.1.2 or higher of Cordova-... • http://www.securityfocus.com/bid/95838 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5207 – Apache Cordova iOS 3.9.1 Access Bypass
https://notcve.org/view.php?id=CVE-2015-5207
28 Apr 2016 — Apache Cordova iOS before 4.0.0 might allow attackers to bypass a URL whitelist protection mechanism in an app and load arbitrary resources by leveraging unspecified methods. Apache Cordova iOS en versiones anteriores a 4.0.0 podrían permitir a atacantes eludir un mecanismo de protección de lista blanca de URL en una aplicación y cargar recursos arbitrarios aprovechando métodos no especificados. Apache Cordova iOS versions 3.9.1 and below suffer from an access bypass vulnerability. • http://jvn.jp/en/jp/JVN35341085/index.html • CWE-254: 7PK - Security Features CWE-284: Improper Access Control •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5208 – Apache Cordova iOS 3.9.1 Arbitrary Plugin Execution
https://notcve.org/view.php?id=CVE-2015-5208
28 Apr 2016 — Apache Cordova iOS before 4.0.0 allows remote attackers to execute arbitrary plugins via a link. Apache Cordova iOS en versiones anteriores a 4.0.0 permite a atacantes remotos ejecutar plugins arbitrarios a través de un enlace. Apache Cordova iOS versions 3.9.1 and below allow for arbitrary plugin execution. • http://jvn.jp/en/jp/JVN41772178/index.html • CWE-20: Improper Input Validation •
CVSS: 5.0EPSS: 2%CPEs: 1EXPL: 0CVE-2015-8320 – Apache Cordova Android 3.6.4 BridgeSecret Weak Randomization
https://notcve.org/view.php?id=CVE-2015-8320
21 Nov 2015 — Apache Cordova-Android before 3.7.0 improperly generates random values for BridgeSecret data, which makes it easier for attackers to conduct bridge hijacking attacks by predicting a value. Apache Cordova-Android en versiones anteriores a 3.7.0 genera de manera incorrecta valores aleatorios para datos BridgeSecret, lo que facilita a atacantes llevar a cabo ataques de secuestro de puente mediante la predicción de un valor. Apache Cordova Android versions 3.6.4 and below use a bridge that allows the Native App... • http://packetstormsecurity.com/files/134496/Apache-Cordova-Android-3.6.4-BridgeSecret-Weak-Randomization.html •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5256 – Apache Cordova 3.7.2 Whitelist Failure
https://notcve.org/view.php?id=CVE-2015-5256
21 Nov 2015 — Apache Cordova-Android before 4.1.0, when an application relies on a remote server, improperly implements a JavaScript whitelist protection mechanism, which allows attackers to bypass intended access restrictions via a crafted URI. Apache Cordova-Android en versiones anteriores a 4.1.0, cuando una aplicación confía en un servidor remoto, implementa de manera incorrecta un mecanismo de protección de lista blanca JavaScript, lo que permite a atacantes eludir las restricciones destinadas al acceso a través de ... • http://jvn.jp/en/jp/JVN18889193/index.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1CVE-2015-1835 – Apache Cordova on Android Unintended Behavior
https://notcve.org/view.php?id=CVE-2015-1835
28 May 2015 — Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL. Apache Cordova Android en versiones anteriores a la 3.7.2 y versiones 4.x anteriores a la 4.0.2, cuando una aplicación no establece valores explícitos en config.xml, permite que atacantes remotos modifiquen variables de configuración secundarias no definidas (preferencia... • http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-apache-vulnerability-that-allows-one-click-modification-of-android-apps • CWE-20: Improper Input Validation •
CVSS: 6.4EPSS: 1%CPEs: 1EXPL: 0CVE-2014-3500 – Apache Cordova Bypass / Information Disclosure / Insertion
https://notcve.org/view.php?id=CVE-2014-3500
05 Aug 2014 — Apache Cordova Android before 3.5.1 allows remote attackers to change the start page via a crafted intent URL. Vulnerabilidad en la aplicación Apache Cordova para Android en versiones inferiores a la 3.5.1 permite a atacantes remotos cambiar la página de inicio a través de URL manipuladas. Apache Cordova versions up to 3.5.0 suffer from information disclosure, whitelist bypass, and cross application issues. • http://cordova.apache.org/announcements/2014/08/04/android-351.html • CWE-17: DEPRECATED: Code •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 0CVE-2014-0072 – Apache Cordova 2.9.0 File-Transfer Insecure Defaults
https://notcve.org/view.php?id=CVE-2014-0072
05 Mar 2014 — ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin (org.apache.cordova.file-transfer) before 0.4.2 for iOS and the File-Transfer plugin for iOS from Cordova 2.4.0 through 2.9.0 might allow remote attackers to spoof SSL servers by leveraging a default value of true for the trustAllHosts option. ios/CDVFileTransfer.m en el plugin independiente Apache Cordova File-Transfer (org.apache.cordova.file-transfer) en versiones anteriores a la 0.4.2 para iOS y el plugin File-Transfer para iOS ... • http://d3adend.org/blog/?p=403 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 11%CPEs: 2EXPL: 0CVE-2014-0073 – Apache Cordova 2.9.0 Privilege Escalation
https://notcve.org/view.php?id=CVE-2014-0073
04 Mar 2014 — The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0 through 2.9.0 does not properly validate callback identifiers, which allows remote attackers to execute arbitrary JavaScript in the host page and consequently gain privileges via a crafted gap-iab: URI. La clase CDVInAppBrowser en el plugin independiente Apache Cordova In-App-Browser (org.apache.cordova.inappbrowser) ... • http://d3adend.org/blog/?p=403 • CWE-264: Permissions, Privileges, and Access Controls •