Remote Code Execution Vulnerability in Apache Cordova and Adobe PhoneGap
CVE-2014-1881

Currently unrated

Key Information:

Vendor: Apache
Status: Cordova
Vendor: CVE Published:; 3 March 2014

What is CVE-2014-1881?

The vulnerability identified in Apache Cordova and Adobe PhoneGap allows remote attackers to bypass crucial device-resource restrictions. This is achieved through a crafted library clone that exploits the event-based bridge mechanism. Attackers can leverage IFRAME script execution to manipulate event handling, specifically by waiting for an OnJsPrompt handler's return value without proper synchronization, leading to unauthorized access to device resources.

References

http://www.cs.utexas.edu/~shmat/shmat_ndss14nofrak.pdf

x_refsource_MISC

http://www.internetsociety.org/ndss2014/programme#session3

x_refsource_MISC

http://seclists.org/bugtraq/2014/Jan/96

mailing-listx_refsource_BUGTRAQ

EPSS Score

7% chance of being exploited in the next 30 days.

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 3, 2014
Vulnerability Reserved
Feb 7, 2014