CVE-2014-0073

CWE-2643 documents3 sources

Severity

9.8CRITICAL

EPSS

11.4%

top 6.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Cordova Apache Cordova In-app-browser

Timeline

PublishedOct 30

Latest updateMay 14

Description

The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0 through 2.9.0 does not properly validate callback identifiers, which allows remote attackers to execute arbitrary JavaScript in the host page and consequently gain privileges via a crafted gap-iab: URI.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/cordova_in-app-browser0.3.1

▶NVDapache/cordova2.6.0 — 2.9.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-5f44-2f3g-gf6q: The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org↗2022-05-14

▶

CVEList

CVE-2014-0073: The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org↗2017-10-30

▶