Uploaded image for project: 'Apache Cordova'
  1. Apache Cordova
  2. CB-11900

Cordova security vulnerability: Insufficint input validations

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Invalid
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: cordova-js
    • Labels:
      None

      Description

      In a recent veracode scan of the mobile application, we found a medium vulnerability:

      Insufficient Input validation

      Description:
      Weaknesses in this category are related to an absent or incorrect protection mechanism that fails to properly validate input that can affect the control flow or data flow to a program.

      Recommendations
      Validate input from untrusted sources before it is used.

      Associated flaws by CWE ID:
      URL redirection to untrusted sitte ('open redirect') (CWE ID 601)

      Description
      A web application accepts a user-controlled input that specifies a link to an external site and uses that link to generate a redirect. This enables phishing attack.

      Recommendation is to always validate user-supplied input to ensure it confirms to the expected format, using centralized data validation routines when possible. Check the supplied URL against a whitelist of approved URLs or domains before redirecting.

      InAppBrowser.java: 447 and 449

        Attachments

          Activity

            People

            • Assignee:
              jcesarmobile jcesarmobile
              Reporter:
              ajaygupta0512 Ajay Gupta
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: