CVE-2015-1835
MEDIUMApache Cordova Android < 3.7.2 and 4.x < 4.0.2 - Secondary Configuration Variable Modification via Intent URL
Title source: llmDescription
Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/74866
Exploit, Technical Description, Third Party Advisory x_refsource_misc
http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-apache-vulnerability-that-allows-one-click-modification-of-android-apps/
Release Notes, Vendor Advisory x_refsource_confirm
https://cordova.apache.org/announcements/2015/05/26/android-402.html
Scores
CVSS v3
5.3
EPSS
0.0063
EPSS Percentile
70.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Details
CWE
CWE-20
Status
published
Products (3)
apache/cordova
4.0.0
apache/cordova
4.0.1
apache/cordova
< 3.7.1
Published
Oct 27, 2017
Tracked Since
Feb 18, 2026