CVE-2019-0219

CRITICAL

Cordova InAppBrowser < 3.0.0 - Arbitrary JavaScript Execution via gap-iab URI

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-0219. PoCs published by BlackFan.

AI-analyzed exploit summary The repository contains a functional proof-of-concept for CVE-2019-0219, demonstrating a privilege escalation vulnerability in Apache Cordova's InAppBrowser plugin. The exploit leverages a crafted URL scheme to execute arbitrary JavaScript in the main WebView context, bypassing intended security restrictions.

Description

A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application's webview using a specially crafted gap-iab: URI.

Exploits (1)

github WORKING POC 21 stars

by BlackFan · poc

https://github.com/BlackFan/CVE_PoCs/tree/master/CVE-2019-0219 (Apache Cordova)

View Code ZIP pw:eip

The repository contains a functional proof-of-concept for CVE-2019-0219, demonstrating a privilege escalation vulnerability in Apache Cordova's InAppBrowser plugin. The exploit leverages a crafted URL scheme to execute arbitrary JavaScript in the main WebView context, bypassing intended security restrictions.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Apache Cordova (cordova-plugin-inappbrowser <= 3.0.0)

No auth needed

Prerequisites: Victim must interact with a malicious link or embedded script in an InAppBrowser context

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (6)

Core 6

Core References

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2019/11/28/1

Mailing List, Vendor Advisory mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/197482d5ab80c0bff4a5ec16e1b0466df38389d9a4b5331d777f14fc%40%3Cdev.cordova.apache.org%3E

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuApr2021.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com//security-alerts/cpujul2021.html

Vendor Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujul2022.html

Mailing List, Vendor Advisory x_refsource_misc

https://lists.apache.org/thread/4vtg0trdrh5203dktt4f3vkd5z2d5ndj

Scores

CVSS v3 9.8

EPSS 0.0891

EPSS Percentile 92.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (9)

apache/cordova_inappbrowser < 3.0.0

npm/cordova-plugin-inappbrowser 0 - 3.1.0npm

oracle/instantis_enterprisetrack 17.1

oracle/instantis_enterprisetrack 17.2

oracle/instantis_enterprisetrack 17.3

oracle/retail_xstore_point_of_service 16.0.6

oracle/retail_xstore_point_of_service 17.0.4

oracle/retail_xstore_point_of_service 18.0.3

oracle/retail_xstore_point_of_service 19.0.2

Published Jan 14, 2020

Tracked Since Feb 18, 2026