Apache Cordova For Android Security Restriction Bypass Vulnerability (CVE-2014-3500)
Release date:
Updated on:
Affected Systems:
Apache Group Cordova <3.5.0
Description:
--------------------------------------------------------------------------------
Bugtraq id: 69038
CVE (CAN) ID: CVE-2014-3500
Apache Cordova is a platform for building local mobile applications using HTML, CSS, and JavaScript.
Android applications built using Apache Cordova for Android 3.5.0 and other versions can be started with a special URL. The start page is different from the one designed by developers. There is a cross-application scripting vulnerability in implementation, attackers can exploit this vulnerability to bypass certain security restrictions and perform unauthorized operations.
<* Source: David Kaplan
Roee Hay
Link: http://cordova.apache.org/announcements/2014/08/04/android-351.html
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Apache Group
------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://cordova.apache.org/
Http://cordova.apache.org/announcements/2014/08/04/android-351.html
This article permanently updates the link address: