CVE-2015-1835

low-risk
Published 2017-10-27

Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL.

Do I need to act?

-
0.62% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / HIGH complexity

Affected Products (3)

Affected Vendors

Apache

References (6)

Exploit http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers...
Third Party Advisory http://www.securityfocus.com/bid/74866
Release Notes https://cordova.apache.org/announcements/2015/05/26/android-402.html
Exploit http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers...
Third Party Advisory http://www.securityfocus.com/bid/74866
Release Notes https://cordova.apache.org/announcements/2015/05/26/android-402.html
28
/ 100
low-risk
Severity 17/34 · Moderate
Exploitability 2/34 · Minimal
Exposure 9/34 · Low