- 漏洞信息

102796
Apache Cordova / PhoneGap on Android iframe Content Domain Whitelisting Bypass
Context Dependent, Mobile Phone / Hand-held Device Input Manipulation
Loss of Integrity Third-Party Solution
Exploit Unknown No Vendor Response

- 漏洞描述

Apache Cordova and PhoneGap contain a flaw that is due to the URL interception ignoring iframe and XMLHttpRequest URLs. With a specially crafted script inside an iframe, a context-dependent attacker to bypass domain white listing by calling execute =cordova.require('cordova/exec'); var opts =cordova.require('cordova/plugin/ ContactFindOptions' ); and directly operating on these objects.

- 时间线

2014-01-24 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or vendor upgrades to correct this issue. However, the researchers who disclosed this issue have released 'NoFrak', which they claim fixes this vulnerability. As with all third-party solutions, ensure they come from a reliable source and are permitted under your company's security policy.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站