Navigation Event Bypass in Apache Cordova and Adobe PhoneGap on Windows Phone
CVE-2014-1884

Currently unrated

Key Information:

Vendor: Apache
Status: Cordova
Vendor: CVE Published:; 3 March 2014

Summary

The vulnerability allows remote attackers to circumvent restrictions on device resources through improper handling of navigation events. Specific methods exploited include accessing content via IFRAME elements or using the XMLHttpRequest method within crafted applications. This security flaw potentially exposes sensitive information and enables unauthorized actions on affected Windows Phone devices.

References

http://www.cs.utexas.edu/~shmat/shmat_ndss14nofrak.pdf

x_refsource_MISC

http://www.internetsociety.org/ndss2014/programme#session3

x_refsource_MISC

http://seclists.org/bugtraq/2014/Jan/96

mailing-listx_refsource_BUGTRAQ

Timeline

Vulnerability published
Mar 3, 2014
Vulnerability Reserved
Feb 7, 2014