Remote Code Execution Vulnerability in Apache Cordova for Android
CVE-2014-3501

Currently unrated

Key Information:

Vendor: Apache
Status: Cordova
Vendor: CVE Published:; 15 November 2014

Summary

Apache Cordova for Android prior to version 3.5.1 is susceptible to a vulnerability allowing malicious users to connect to unauthorized servers. This is achieved by exploiting the WebView component to initiate WebSocket connections, therefore bypassing the designated HTTP whitelist. Attackers can leverage this loophole to execute arbitrary commands, potentially leading to unauthorized data access and manipulation.

References

http://www.securityfocus.com/bid/69041

vdb-entryx_refsource_BID

http://cordova.apache.org/announcements/2014/08/04/androi...

x_refsource_CONFIRM

Timeline

Vulnerability published
Nov 15, 2014
Vulnerability Reserved
May 14, 2014