CVE-2023-2507

2023-07-1519:15:09

CWE-79

Fluid Attacks

web.nvd.nist.gov

clevertap

cordova

plugin

cve-2023-2507

remote attack

javascript execution

deeplink

CVSS3

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS

0.001

Percentile

45.0%

JSON

CleverTap Cordova Plugin version 2.6.2 allows a remote attacker to execute JavaScript code in any application that is opened via a specially constructed deeplink by an attacker.

This is possible because the plugin does not correctly validate the data coming from the deeplinks before using them.

Affected configurations

Nvd

Node

clevertapclevertapMatch2.6.2cordova

VendorProductVersionCPE
clevertapclevertap2.6.2cpe:2.3:a:clevertap:clevertap:2.6.2:*:*:*:*:cordova:*:*

Vendor	Product	Version	CPE
clevertap	clevertap	2.6.2	cpe:2.3:a:clevertap:clevertap:2.6.2:::::cordova::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Android"
    ],
    "product": "Cordova Plugin",
    "vendor": "CleverTap",
    "versions": [
      {
        "status": "affected",
        "version": "2.6.2"
      }
    ]
  }
]