18 matches found
CVE-2021-21315
CVE-2021-21315 affects the npm package System Information (systeminformation) prior to version 5.3.1. The vulnerability is a command injection in functions that process service/latency queries (e.g., si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad()) which can be exploited via...
CVE-2015-8320
CVE-2015-8320 affects Apache Cordova Android before 3.7.0, where BridgeSecret data were generated with weak randomness. This lax randomness enables attackers to predict the BridgeSecret value and perform bridge hijacking attacks. The vulnerability is listed with a CVSS v2 base score of 5.0 (Mediu...
CVE-2017-3160
CVE-2017-3160 affects Apache Cordova for Android, where on first add/build the Gradle tool is downloaded via an HTTP (not HTTPS) URI by default. This enables a man-in-the-middle (MiTM) attack that can tamper with the Gradle distribution, since the downloaded Gradle executable is immediately execu...
CVE-2014-3501
Apache Cordova for Android prior to 3.5.1 is vulnerable (CVE-2014-3501) to bypass the HTTP allowlist via WebView by using JavaScript to open non-http channels, enabling a remote attacker to reach arbitrary servers. The issue stems from improper use of an allowlist when WebView handles non-http co...
CVE-2014-3500
Apache Cordova for Android (pre-3.5.1) is vulnerable to Cross-Application Scripting via crafted Android intents that can change the start page, enabling an attacker to execute script in the victim’s browser and potentially steal cookie-based credentials. The issue stems from insufficient input va...
CVE-2015-1835
CVE-2015-1835 affects Apache Cordova on Android: Cordova Android builds before 3.7.2 and 4.x before 4.0.2 allow remote modification of undefined secondary configuration variables (preferences) when config.xml lacks explicit values, via a crafted URL/Intent. Impact stated as potential modification...
CVE-2015-5208
Apache Cordova iOS prior to 4.0.0 contains a vulnerability that allows arbitrary plugin execution when a user accesses a specially crafted link. The issue affects Cordova iOS up to version 3.x and is remedied by upgrading Cordova to 4.0.0 or later and rebuilding the iOS application.
CVE-2015-5256
Summary of CVE-2015-5256 : Apache Cordova-Android before 4.1.0 contains a flaw in the remote server relyance whitelisting mechanism that allows an attacker to bypass intended access restrictions by crafting a URI. This can enable execution of non-whitelisted JavaScript. Concrete details from conn...
CVE-2014-3502
CVE-2014-3502 affects Apache Cordova on Android prior to 3.5.1. The weakness allows remote attackers to open and send data to arbitrary applications by exploiting a crafted Android intent URI scheme, enabling information exposure via manipulated HTML content within a Cordova app. The CVSS base sc...
CVE-2014-1881
CVE-2014-1881 affects Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier. The vulnerability arises in an event-based bridge technique where a crafted library clone can trigger IFRAME script execution and waits for an OnJsPrompt handler return value to bypass intended device-res...
CVE-2016-6799
CVE-2016-6799 affects Apache Cordova Android 5.2.2 and earlier. The vulnerability arises from logging via the Log class, which stores messages in circular buffers on the device; on Android versions prior to 4.1, logs are not sandboxed per-app, allowing any installed app to read another app’s log ...
CVE-2014-0073
The CVE-2014-0073 issue affects Apache Cordova In-App-Browser for iOS: the In-App-Browser plugin (Cordova 2.6.0–2.9.0) and the standalone iOS plugin (org.apache.cordova.inappbrowser, 0.1.0–0.3.1) fail to properly validate callback identifiers, enabling remote attackers to execute arbitrary JavaSc...
CVE-2014-1884
CVE-2014-1884 affects Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier on Windows Phone 7/8. The root cause is improper restriction of navigation events, which lets remote attackers bypass device-resource restrictions when content is accessed (1) inside an iframe or (2) via t...
CVE-2014-0072
CVE-2014-0072 affects the Apache Cordova File-Transfer stack on iOS. The File-Transfer plugin for iOS (Cordova 2.4.0–2.9.0) and the standalone File-Transfer plugin (org.apache.cordova.file-transfer) prior to 0.4.2 default the trustAllHosts option to true, allowing remote attackers to spoof SSL se...
CVE-2020-11990
CVE-2020-11990 affects the Apache Cordova Plugin camera on Android. Vulnerability: when the plugin caches taken images to external storage, any app with READ_EXTERNAL_STORAGE/WRITE_EXTERNAL_STORAGE can access those cached image files, exposing user photos. Root cause: the external storage caching...
CVE-2012-6637
Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier are affected by a flaw in the domain-name whitelist check: the end of domain-name regular expressions is not anchored, allowing a domain that contains an acceptable name as an initial substring to bypass the whitelist. This is a code/...
CVE-2014-1882
Affected software: Apache Cordova 3.3.0 and earlier; Adobe PhoneGap 2.9.0 and earlier. Root cause: An event-based bridge can be bypassed via a crafted library clone that uses IFRAME script execution to directly access bridge JavaScript objects, demonstrated by cordova.require calls. Impact: Remot...
CVE-2015-5207
Cordova iOS prior to 4.0.0 has a vulnerability where the whitelist restriction is not properly applied, potentially allowing an attacker to load resources by bypassing URL access rules. The issue affects iOS applications built with Cordova and is documented in multiple sources (e.g., JVN-2016-000...