CRITICAL🇬🇧 English

CVE-2014-0073

CVSS 9.8v3.0pub. 2017-10-30upd. 2026-05-13

The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0 through 2.9.0 does not properly validate callback identifiers, which allows remote attackers to execute arbitrary JavaScript in the host page and consequently gain privileges via a crafted gap-iab: URI.

oryginał EN
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Cordova

    APP
    Apache
    2.6.0 – 2.9.0
  • Apache Cordova In App Browser

    APP
    Apache
    ≤ 0.3.1
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2021-21315HIGH7.1⚠ KEVten sam produkt

The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of f...

CVE-2017-3160HIGH7.4ten sam produkt

After the Android platform is added to Cordova the first time, or after a project is created using the build s...

CVE-2014-0072HIGH7.5ten sam produkt

ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin (org.apache.cordova.file-transfer)...

CVE-2016-6799HIGH7.5ten sam produkt

Product: Apache Cordova Android 5.2.2 and earlier. The application calls methods of the Log class. Messages pa...

CVE-2014-1881HIGH7.5ten sam produkt

Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier allow remote attackers to bypass intende...