QwikSec

Security Database

CVE

CWE

Training

CVE-2014-0073

Published: Oct 30, 2017

Modified: Aug 6, 2024

PUBLISHED

Description

The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0 through 2.9.0 does not properly validate callback identifiers, which allows remote attackers to execute arbitrary JavaScript in the host page and consequently gain privileges via a crafted gap-iab: URI.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

20140304 [CVE-2014-0073] Apache Cordova In-App-Browser privilege escalation

mailing-list

x_refsource_BUGTRAQ

vdb-entry

x_refsource_BID

http://d3adend.org/blog/?p=403

x_refsource_MISC

[cordova-dev] 20140304 [CVE-2014-0073] Apache Cordova In-App-Browser privilege escalation

mailing-list

x_refsource_MLIST

https://github.com/apache/cordova-plugin-inappbrowser/commit/26702cb0720c5c394b407c23570136c53171fa55

x_refsource_CONFIRM

apache-cordova-cve20140073-priv-esc(91560)

vdb-entry

x_refsource_XF

20140304 [CVE-2014-0073] Apache Cordova In-App-Browser privilege escalation

mailing-list

x_refsource_FULLDISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.