Lucene search

GitHub Advisory DatabaseGHSA-X2PH-QQWM-9CC6

HistoryJul 15, 2023 - 9:30 p.m.

CleverTap Cordova plugin vulnerable to Cross-site Scripting

2023-07-1521:30:16

CWE-79

GitHub Advisory Database

github.com

clevertap

cordova

cross-site scripting

remote attacker

javascript

deeplinks

data validation

vulnerable software

CVSS3

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS

0.001

Percentile

45.0%

JSON

CleverTap Cordova Plugin version 2.6.2 allows a remote attacker to execute JavaScript code in any application that is opened via a specially constructed deeplink by an attacker.

This is possible because the plugin does not correctly validate the data coming from the deeplinks before using them.

Affected configurations

Vulners

Node

clevertapclevertap-cordovaRange≤2.6.2

VendorProductVersionCPE
clevertapclevertap-cordova*cpe:2.3:a:clevertap:clevertap-cordova:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
clevertap	clevertap-cordova	*	cpe:2.3:a:clevertap:clevertap-cordova::::::::

References

fluidattacks.com/advisories/maiden/

github.com/advisories/GHSA-x2ph-qqwm-9cc6

github.com/CleverTap/clevertap-cordova

nvd.nist.gov/vuln/detail/CVE-2023-2507

CVSS3

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS

0.001

Percentile

45.0%

JSON

Related for GHSA-X2PH-QQWM-9CC6