Description
Apache Cordova-Android before 4.1.0, when an application relies on a remote server, improperly implements a JavaScript whitelist protection mechanism, which allows attackers to bypass intended access restrictions via a crafted URI.
References (6)
Core 6
Core References
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/536944/100/0/threaded
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/134497/Apache-Cordova-3.7.2-Whitelist-Failure.html
Third Party Advisory third-party-advisory
x_refsource_jvndb
http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000187.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/77677
Vendor Advisory x_refsource_confirm
https://cordova.apache.org/announcements/2015/11/20/security.html
Third Party Advisory third-party-advisory
x_refsource_jvn
http://jvn.jp/en/jp/JVN18889193/index.html
Scores
EPSS
0.0070
EPSS Percentile
72.4%
Details
CWE
CWE-264
Status
published
Products (1)
apache/cordova
< 3.6.4
Published
Nov 23, 2015
Tracked Since
Feb 18, 2026