CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-6799 – Apache Cordova Android 5.2.2 Information Leak
https://notcve.org/view.php?id=CVE-2016-6799
09 May 2017 — Product: Apache Cordova Android 5.2.2 and earlier. The application calls methods of the Log class. Messages passed to these methods (Log.v(), Log.d(), Log.i(), Log.w(), and Log.e()) are stored in a series of circular buffers on the device. By default, a maximum of four 16 KB rotated logs are kept in addition to the current log. The logged data can be read using Logcat on the device. • http://www.securityfocus.com/bid/98365 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-3160 – Cordova-Android 6.1.1 Insecure Transport
https://notcve.org/view.php?id=CVE-2017-3160
28 Jan 2017 — After the Android platform is added to Cordova the first time, or after a project is created using the build scripts, the scripts will fetch Gradle on the first build. However, since the default URI is not using https, it is vulnerable to a MiTM and the Gradle executable is not safe. The severity of this issue is high due to the fact that the build scripts immediately start a build after Gradle has been fetched. Developers who are concerned about this issue should install version 6.1.2 or higher of Cordova-... • http://www.securityfocus.com/bid/95838 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5207 – Apache Cordova iOS 3.9.1 Access Bypass
https://notcve.org/view.php?id=CVE-2015-5207
28 Apr 2016 — Apache Cordova iOS before 4.0.0 might allow attackers to bypass a URL whitelist protection mechanism in an app and load arbitrary resources by leveraging unspecified methods. Apache Cordova iOS en versiones anteriores a 4.0.0 podrían permitir a atacantes eludir un mecanismo de protección de lista blanca de URL en una aplicación y cargar recursos arbitrarios aprovechando métodos no especificados. Apache Cordova iOS versions 3.9.1 and below suffer from an access bypass vulnerability. • http://jvn.jp/en/jp/JVN35341085/index.html • CWE-254: 7PK - Security Features CWE-284: Improper Access Control •
CVSS: 4.4EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5208 – Apache Cordova iOS 3.9.1 Arbitrary Plugin Execution
https://notcve.org/view.php?id=CVE-2015-5208
28 Apr 2016 — Apache Cordova iOS before 4.0.0 allows remote attackers to execute arbitrary plugins via a link. Apache Cordova iOS en versiones anteriores a 4.0.0 permite a atacantes remotos ejecutar plugins arbitrarios a través de un enlace. Apache Cordova iOS versions 3.9.1 and below allow for arbitrary plugin execution. • http://jvn.jp/en/jp/JVN41772178/index.html • CWE-20: Improper Input Validation •
CVSS: 5.0EPSS: 2%CPEs: 1EXPL: 0CVE-2015-8320 – Apache Cordova Android 3.6.4 BridgeSecret Weak Randomization
https://notcve.org/view.php?id=CVE-2015-8320
21 Nov 2015 — Apache Cordova-Android before 3.7.0 improperly generates random values for BridgeSecret data, which makes it easier for attackers to conduct bridge hijacking attacks by predicting a value. Apache Cordova-Android en versiones anteriores a 3.7.0 genera de manera incorrecta valores aleatorios para datos BridgeSecret, lo que facilita a atacantes llevar a cabo ataques de secuestro de puente mediante la predicción de un valor. Apache Cordova Android versions 3.6.4 and below use a bridge that allows the Native App... • http://packetstormsecurity.com/files/134496/Apache-Cordova-Android-3.6.4-BridgeSecret-Weak-Randomization.html •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5256 – Apache Cordova 3.7.2 Whitelist Failure
https://notcve.org/view.php?id=CVE-2015-5256
21 Nov 2015 — Apache Cordova-Android before 4.1.0, when an application relies on a remote server, improperly implements a JavaScript whitelist protection mechanism, which allows attackers to bypass intended access restrictions via a crafted URI. Apache Cordova-Android en versiones anteriores a 4.1.0, cuando una aplicación confía en un servidor remoto, implementa de manera incorrecta un mecanismo de protección de lista blanca JavaScript, lo que permite a atacantes eludir las restricciones destinadas al acceso a través de ... • http://jvn.jp/en/jp/JVN18889193/index.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1CVE-2015-1835 – Apache Cordova on Android Unintended Behavior
https://notcve.org/view.php?id=CVE-2015-1835
28 May 2015 — Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL. Apache Cordova Android en versiones anteriores a la 3.7.2 y versiones 4.x anteriores a la 4.0.2, cuando una aplicación no establece valores explícitos en config.xml, permite que atacantes remotos modifiquen variables de configuración secundarias no definidas (preferencia... • http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-apache-vulnerability-that-allows-one-click-modification-of-android-apps • CWE-20: Improper Input Validation •
CVSS: 6.4EPSS: 1%CPEs: 1EXPL: 0CVE-2014-3500 – Apache Cordova Bypass / Information Disclosure / Insertion
https://notcve.org/view.php?id=CVE-2014-3500
05 Aug 2014 — Apache Cordova Android before 3.5.1 allows remote attackers to change the start page via a crafted intent URL. Vulnerabilidad en la aplicación Apache Cordova para Android en versiones inferiores a la 3.5.1 permite a atacantes remotos cambiar la página de inicio a través de URL manipuladas. Apache Cordova versions up to 3.5.0 suffer from information disclosure, whitelist bypass, and cross application issues. • http://cordova.apache.org/announcements/2014/08/04/android-351.html • CWE-17: DEPRECATED: Code •
CVSS: 9.1EPSS: 7%CPEs: 29EXPL: 0CVE-2014-1882
https://notcve.org/view.php?id=CVE-2014-1882
03 Mar 2014 — Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier allow remote attackers to bypass intended device-resource restrictions of an event-based bridge via a crafted library clone that leverages IFRAME script execution and directly accesses bridge JavaScript objects, as demonstrated by certain cordova.require calls. Apache Cordova 3.3.0 y anteriores y Adobe PhoneGap 2.9.0 y anteriores permiten a atacantes remotos evadir restricciones "device-resource" de un puente basado en eventos a través de... • http://openwall.com/lists/oss-security/2014/02/07/9 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 2%CPEs: 33EXPL: 1CVE-2014-1884
https://notcve.org/view.php?id=CVE-2014-1884
03 Mar 2014 — Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier on Windows Phone 7 and 8 do not properly restrict navigation events, which allows remote attackers to bypass intended device-resource restrictions via content that is accessed (1) in an IFRAME element or (2) with the XMLHttpRequest method by a crafted application. Apache Cordova 3.3.0 y anteriores y Adobe PhoneGap 2.9.0 y anteriores en Windows Phone 7 y 8 no restringen debidamente eventos de navegación, lo que permite a atacantes remotos ... • http://openwall.com/lists/oss-security/2014/02/07/9 • CWE-264: Permissions, Privileges, and Access Controls •