Homepage
About Snyk

Insecure Defaults Affecting cordova-plugin-file-transfer package, versions <0.4.2

0.0
medium

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    EPSS 0.22% (60th percentile)
Expand this section
NVD
7.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:cordova-plugin-file-transfer:20140219
  • published 9 Nov 2017
  • disclosed 18 Feb 2014
  • credit Neil Bergman
Report a new vulnerability Found a mistake?

Introduced: 18 Feb 2014

CVE-2014-0072 Open this link in a new tab
CWE-297 Open this link in a new tab

How to fix?

Upgrade cordova-plugin-file-transfer to version 0.4.2 or higher.

Overview

cordova-plugin-file-transfer is a cordova File Transfer Plugin.

Affected version of this package are vulnerable to Insecure Defaults. ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin (org.apache.cordova.file-transfer) before 0.4.2 for iOS and the File-Transfer plugin for iOS from Cordova 2.4.0 through 2.9.0 might allow remote attackers to spoof SSL servers by leveraging a default value of true for the trustAllHosts option.

Details

When deciding on the default configuration, the package owner must take into consideration both usability and security, based on reasonable assumptions to how their package will be used. But more often then not, package consumers do not abide by said assumptions and this may open their hosting server to attacks by malicious users.

You can read more about Insecure Defaults on our blog.