CRLF Injection

Affecting cordova-plugin-file-transfer package, versions <1.3.0

Do your applications use this vulnerable package? Test your applications

Overview

cordova-plugin-file-transfer is a Cordova File Transfer Plugin.

Affected versions of the package are vulnerable to CRLF Injection. This allows remote attackers to inject arbitrary headers via CRLF sequences in the filename of an uploaded file.

Remediation

Upgrade cordova-plugin-file-transfer to version 1.3.0 or higher.

References

CVSS Score

4.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Credit
Muneaki Nishimura
CVE
CVE-2015-5204
CWE
CWE-93
Snyk ID
npm:cordova-plugin-file-transfer:20150826
Disclosed
25 Aug, 2015
Published
21 Jun, 2017