Arbitrary Code Execution
Affecting cordova-android package, versions <4.1.1
Report new vulnerabilities
Do your applications use this vulnerable package?
Test your applications
Overview
cordova-android
is an Android application library that allows for Cordova-based projects to be built for the Android Platform.
Affected versions of the package are vulnerable to Arbitrary Code Execution. When an application relies on a remote server, improperly implements a JavaScript whitelist protection mechanism. This allows attackers to bypass intended access restrictions via a crafted URI.
Remediation
Upgrade cordova-android
to version 4.1.1 or higher.
References
CVSS Score
4.2
medium severity
-
Attack VectorNetwork
-
Attack ComplexityHigh
-
Privileges RequiredNone
-
User InteractionRequired
-
ScopeUnchanged
-
ConfidentialityLow
-
IntegrityLow
-
AvailabilityNone
- Credit
- Muneaki Nishimura
- CVE
- CVE-2015-5256
- CWE
- CWE-264
- Snyk ID
- npm:cordova-android:20151120-1
- Disclosed
- 19 Nov, 2015
- Published
- 21 Jun, 2017