Ajay Gupta created CB-11900:
-------------------------------
Summary: Cordova security vulnerability: Insufficint input
validations
Key: CB-11900
URL: https://issues.apache.org/jira/browse/CB-11900
Project: Apache Cordova
Issue Type: Bug
Components: CordovaJS
Reporter: Ajay Gupta
In a recent veracode scan of the mobile application, we found a medium
vulnerability:
Insufficient Input validation
Description:
Weaknesses in this category are related to an absent or incorrect protection
mechanism that fails to properly validate input that can affect the control
flow or data flow to a program.
Recommendations
Validate input from untrusted sources before it is used.
Associated flaws by CWE ID:
URL redirection to untrusted sitte ('open redirect') (CWE ID 601)
Description
A web application accepts a user-controlled input that specifies a link to an
external site and uses that link to generate a redirect. This enables phishing
attack.
Recommendation is to always validate user-supplied input to ensure it confirms
to the expected format, using centralized data validation routines when
possible. Check the supplied URL against a whitelist of approved URLs or
domains before redirecting.
InAppBrowser.java: 447 and 449
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
