PT-2019-5794 · Apache Cordova · Cordova-Plugin-Inappbrowser

Published

2019-11-27

Updated

2022-07-25

CVE-2019-0219

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions cordova-plugin-inappbrowser versions prior to 3.1.0

Description The issue is related to the Cordova In-App-Browser extension for Android, where a lack of protection for the web page structure can be exploited. This allows a remote attacker to execute arbitrary JavaScript code using a specially crafted URI containing the "gap-iab:" scheme. A website running in the InAppBrowser webview on Android could execute arbitrary JavaScript in the main application's webview.

Recommendations Upgrade to version 3.1.0 or later. As a temporary workaround, consider restricting the use of the gap-iab: scheme in the InAppBrowser webview to minimize the risk of exploitation.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BDU:2021-02406

CVE-2019-0219

GHSA-C6PW-Q7F2-97HV

Affected Products

Cordova-Plugin-Inappbrowser

PT-2019-5794 · Apache Cordova · Cordova-Plugin-Inappbrowser

CVE-2019-0219

Weakness Enumeration

Related Identifiers

Affected Products

References · 14