CVE-2015-5256

Published: Nov 23, 2015Modified: May 6, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

Apache Cordova-Android before 4.1.0, when an application relies on a remote server, improperly implements a JavaScript whitelist protection mechanism, which allows attackers to bypass intended access restrictions via a crafted URI.

Affected (1)

Products: Apache: Cordova

Apache

1 product

Cordova

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Cordova	Up to 3.6.4

Related CWEs

CWE-264

References (12)

http://jvn.jp/en/jp/JVN18889193/index.html

Source: secalert@redhat.com

http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000187.html

Source: secalert@redhat.com

http://packetstormsecurity.com/files/134497/Apache-Cordova-3.7.2-Whitelist-Failure.html

Source: secalert@redhat.com

http://www.securityfocus.com/archive/1/536944/100/0/threaded

Source: secalert@redhat.com

http://www.securityfocus.com/bid/77677

Source: secalert@redhat.com

https://cordova.apache.org/announcements/2015/11/20/security.html

Source: secalert@redhat.com

Vendor Advisory

http://jvn.jp/en/jp/JVN18889193/index.html