Veracode Vulnerability DatabaseVERACODE:3360Bypassing Device-Resource Restrictions
0.02 Low
EPSS
Percentile
88.8%
Cordova is vulnerable to the bypass of intended device-resource restrictions. Leveraging on an event-based bridge, a library clone, and an IFRAME script execution, a remote attacker is able to wait for a certain amount of time for an OnJsPrompt handler return value as an alternative to correct synchronization to bypass these restrictions.
References
openwall.com/lists/oss-security/2014/02/07/9
packetstormsecurity.com/files/124954/apachecordovaphonegap-bypass.txt
seclists.org/bugtraq/2014/Jan/96
www.cs.utexas.edu/~shmat/shmat_ndss14nofrak.pdf
www.internetsociety.org/ndss2014/programme#session3
github.com/apache/cordova-ios/blob/6f601304e8ce82766b10cb09be4aa4286be5477c/RELEASENOTES.md
github.com/apache/cordova-ios/commit/0f28be660c19f0860d1a37ee985e1fd934cae836
github.com/apache/cordova-ios/commit/d6fd0afdc430db947e257c0e80a8fcae2bee55bd
github.com/georgiev-martin/NoFrak/commit/df5cdc79766b6fa4ba78497532641ba1a5000812
packetstormsecurity.com/files/124954/apachecordovaphonegap-bypass.txt
Related
