CVE-2014-1882

Name of the Vulnerable Software and Affected Versions Apache Cordova versions 3.3.0 and earlier Adobe PhoneGap versions 2.9.0 and earlier

Description The issue allows remote attackers to bypass intended device-resource restrictions of an event-based bridge. This can be achieved via a crafted library clone that leverages IFRAME script execution and directly accesses bridge JavaScript objects. For example, certain cordova.require calls can be used to demonstrate this bypass.

Recommendations For Apache Cordova versions 3.3.0 and earlier, consider restricting access to the bridge JavaScript objects until a fix is available. For Adobe PhoneGap versions 2.9.0 and earlier, avoid using certain cordova.require calls that can be used to bypass device-resource restrictions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.