Skip to main content

Cordova

17 CVEs product

Monthly

CVE-2021-21315 npm HIGH POC KEV PATCH THREAT This Week

The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Node.js Command Injection Systeminformation Cordova
NVD GitHub
CVSS 3.1
7.8
EPSS
90.2%
CVE-2020-11990 LOW Monitor

We have resolved a security issue in the camera plugin that could have affected certain Cordova (Android) applications. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Google Information Disclosure Cordova
NVD
CVSS 3.1
3.3
EPSS
0.7%
CVE-2014-0073 CRITICAL PATCH Act Now

The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 11.4%.

Apache Apple Privilege Escalation Cordova In App Browser Cordova
NVD GitHub
CVSS 3.0
9.8
EPSS
11.4%
CVE-2014-0072 HIGH PATCH This Week

ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin (org.apache.cordova.file-transfer) before 0.4.2 for iOS and the File-Transfer plugin for iOS from Cordova 2.4.0 through. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apple Apache Information Disclosure Cordova File Transfer Cordova
NVD GitHub
CVSS 3.0
7.5
EPSS
1.5%
CVE-2015-1835 MEDIUM POC This Month

Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Google Apache Information Disclosure Cordova
NVD
CVSS 3.0
5.3
EPSS
0.6%
CVE-2016-6799 npm HIGH PATCH This Week

Product: Apache Cordova Android 5.2.2 and earlier. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Google Apache Information Disclosure Cordova
NVD
CVSS 3.0
7.5
EPSS
0.5%
CVE-2015-5208 MEDIUM This Month

Apache Cordova iOS before 4.0.0 allows remote attackers to execute arbitrary plugins via a link. Rated medium severity (CVSS 4.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apple Information Disclosure Apache Cordova
NVD
CVSS 3.0
4.4
EPSS
1.8%
CVE-2015-5207 MEDIUM This Month

Apache Cordova iOS before 4.0.0 might allow attackers to bypass a URL whitelist protection mechanism in an app and load arbitrary resources by leveraging unspecified methods. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apple Apache Cordova
NVD
CVSS 3.0
5.3
EPSS
0.1%
CVE-2015-8320 MEDIUM This Month

Apache Cordova-Android before 3.7.0 improperly generates random values for BridgeSecret data, which makes it easier for attackers to conduct bridge hijacking attacks by predicting a value. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google Information Disclosure Apache Cordova
NVD
CVSS 2.0
5.0
EPSS
1.9%
CVE-2015-5256 MEDIUM This Month

Apache Cordova-Android before 4.1.0, when an application relies on a remote server, improperly implements a JavaScript whitelist protection mechanism, which allows attackers to bypass intended access. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Google Apache Cordova
NVD
CVSS 2.0
4.3
EPSS
0.7%
CVE-2014-3502 MEDIUM This Month

Apache Cordova Android before 3.5.1 allows remote attackers to open and send data to arbitrary applications via a URL with a crafted URI scheme for an Android intent. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Google Information Disclosure Apache Cordova
NVD
CVSS 2.0
4.3
EPSS
1.5%
CVE-2014-3501 MEDIUM This Month

Apache Cordova Android before 3.5.1 allows remote attackers to bypass the HTTP whitelist and connect to arbitrary servers by using JavaScript to open WebSocket connections through WebView. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Google Apache Cordova
NVD
CVSS 2.0
4.3
EPSS
1.7%
CVE-2014-3500 MEDIUM This Month

Apache Cordova Android before 3.5.1 allows remote attackers to change the start page via a crafted intent URL. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google Information Disclosure Apache Cordova
NVD
CVSS 2.0
6.4
EPSS
1.2%
CVE-2014-1884 HIGH POC This Week

Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier on Windows Phone 7 and 8 do not properly restrict navigation events, which allows remote attackers to bypass intended. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Adobe Apache Microsoft Cordova +1
NVD
CVSS 2.0
7.5
EPSS
2.0%
CVE-2014-1882 HIGH This Week

Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier allow remote attackers to bypass intended device-resource restrictions of an event-based bridge via a crafted library clone that. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Adobe Apache Phonegap Cordova
NVD
CVSS 2.0
7.5
EPSS
7.7%
CVE-2014-1881 HIGH POC PATCH This Week

Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier allow remote attackers to bypass intended device-resource restrictions of an event-based bridge via a crafted library clone that. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Privilege Escalation Adobe Apache Cordova Phonegap
NVD
CVSS 2.0
7.5
EPSS
1.9%
CVE-2012-6637 HIGH POC PATCH This Week

Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier do not anchor the end of domain-name regular expressions, which allows remote attackers to bypass a whitelist protection. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Adobe Apache Authentication Bypass Cordova Phonegap
NVD
CVSS 2.0
7.5
EPSS
1.3%
EPSS 90% CVSS 7.8
HIGH POC KEV PATCH THREAT This Week

The System Information Library for Node.JS (npm package "systeminformation") is an open source collection of functions to retrieve detailed hardware, system and OS information. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Node.js Command Injection Systeminformation +1
NVD GitHub
EPSS 1% CVSS 3.3
LOW Monitor

We have resolved a security issue in the camera plugin that could have affected certain Cordova (Android) applications. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Google Information Disclosure Cordova
NVD
EPSS 11% CVSS 9.8
CRITICAL PATCH Act Now

The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 11.4%.

Apache Apple Privilege Escalation +2
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin (org.apache.cordova.file-transfer) before 0.4.2 for iOS and the File-Transfer plugin for iOS from Cordova 2.4.0 through. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apple Apache Information Disclosure +2
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC This Month

Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Google Apache Information Disclosure +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Product: Apache Cordova Android 5.2.2 and earlier. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Google Apache Information Disclosure +1
NVD
EPSS 2% CVSS 4.4
MEDIUM This Month

Apache Cordova iOS before 4.0.0 allows remote attackers to execute arbitrary plugins via a link. Rated medium severity (CVSS 4.4), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Apple Information Disclosure Apache +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Apache Cordova iOS before 4.0.0 might allow attackers to bypass a URL whitelist protection mechanism in an app and load arbitrary resources by leveraging unspecified methods. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apple Apache +1
NVD
EPSS 2% CVSS 5.0
MEDIUM This Month

Apache Cordova-Android before 3.7.0 improperly generates random values for BridgeSecret data, which makes it easier for attackers to conduct bridge hijacking attacks by predicting a value. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google Information Disclosure Apache +1
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

Apache Cordova-Android before 4.1.0, when an application relies on a remote server, improperly implements a JavaScript whitelist protection mechanism, which allows attackers to bypass intended access. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Google Apache +1
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

Apache Cordova Android before 3.5.1 allows remote attackers to open and send data to arbitrary applications via a URL with a crafted URI scheme for an Android intent. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Google Information Disclosure Apache +1
NVD
EPSS 2% CVSS 4.3
MEDIUM This Month

Apache Cordova Android before 3.5.1 allows remote attackers to bypass the HTTP whitelist and connect to arbitrary servers by using JavaScript to open WebSocket connections through WebView. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Google Apache +1
NVD
EPSS 1% CVSS 6.4
MEDIUM This Month

Apache Cordova Android before 3.5.1 allows remote attackers to change the start page via a crafted intent URL. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google Information Disclosure Apache +1
NVD
EPSS 2% CVSS 7.5
HIGH POC This Week

Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier on Windows Phone 7 and 8 do not properly restrict navigation events, which allows remote attackers to bypass intended. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Adobe Apache +3
NVD
EPSS 8% CVSS 7.5
HIGH This Week

Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier allow remote attackers to bypass intended device-resource restrictions of an event-based bridge via a crafted library clone that. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Adobe Apache +2
NVD
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier allow remote attackers to bypass intended device-resource restrictions of an event-based bridge via a crafted library clone that. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Privilege Escalation Adobe Apache +2
NVD
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and earlier do not anchor the end of domain-name regular expressions, which allows remote attackers to bypass a whitelist protection. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Adobe Apache Authentication Bypass +2
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy