CVE-2015-1835

Published: Oct 27, 2017Modified: May 13, 2026

5.3

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Exploitability: 1.6 / Impact: 3.6

Source: NVD

Description

Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL.

Affected (3)

Products: Apache: Cordova

Apache

1 product

Cordova

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Apache Cordova	Up to 3.7.1
Apache Cordova	Version 4.0.0
Apache Cordova	Version 4.0.1

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (6)

http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-apache-vulnerability-that-allows-one-click-modification-of-android-apps/

Source: secalert@redhat.com

ExploitTechnical DescriptionThird Party Advisory

http://www.securityfocus.com/bid/74866

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

https://cordova.apache.org/announcements/2015/05/26/android-402.html

Source: secalert@redhat.com

Release NotesVendor Advisory

http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-apache-vulnerability-that-allows-one-click-modification-of-android-apps/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitTechnical DescriptionThird Party Advisory

http://www.securityfocus.com/bid/74866

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://cordova.apache.org/announcements/2015/05/26/android-402.html

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

Timeline

No history available yet.