| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAE6O_-a4mVHHvxgofN=6EEerm2kJ5e54+f55NrjKmL+g59Theg@mail.gmail.com> Date: Fri, 20 Nov 2015 11:47:09 -0800 From: Shazron <shazron@...che.org> To: bugtraq@...urityfocus.com Subject: Fwd: CVE-2015-5256: Apache Cordova vulnerable to improper application of whitelist restrictions ---------- Forwarded message ---------- From: Joe Bowser <bowserj@...il.com> Date: Fri, Nov 20, 2015 at 11:39 AM Subject: CVE-2015-5256: Apache Cordova vulnerable to improper application of whitelist restrictions To: vuls@...ert.or.jp, "security@...che.org" <security@...che.org>, dev <dev@...dova.apache.org>, "private@...dova.apache.org" <private@...dova.apache.org>, bugtraq@...urityfocus.com, oss-security@...ts.openwall.com ====================================================================== CVE-2015-5256: Apache Cordova vulnerable to improper application of whitelist restrictions Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Cordova Android 3.7.2 and earlier Description: Android applications created using Apache Cordova that use a remote server contain a vulnerability where whitelist restrictions are not properly applied. Improperly crafted URIs could be used to circumvent the whitelist, allowing for the execution of non-whitelisted Javascript. Upgrade path: Developers who are concerned about this should rebuild their applications with Cordova Android 4.1.1 or later and use the new whitelist. Developers using remote content roots should also use SSL, as well as Content Security Policy to further mitigate this issue. Credit: Muneaki Nishimura of Sony Digital Network Applications, Inc
Powered by blists - more mailing lists