Critical severity9.8NVD Advisory· Published Oct 30, 2017· Updated May 13, 2026

CVE-2014-0073

Description

The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0 through 2.9.0 does not properly validate callback identifiers, which allows remote attackers to execute arbitrary JavaScript in the host page and consequently gain privileges via a crafted gap-iab: URI.

Affected products

Apache/Cordova In App Browser
cpe:2.3:a:apache:cordova_in-app-browser:*:*:*:*:*:iphone_os:*:*
Range: <=0.3.1
Apache/Cordova
cpe:2.3:a:apache:cordova:*:*:*:*:*:iphone_os:*:*
Range: >=2.6.0,<=2.9.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/apache/cordova-plugin-inappbrowser/commit/26702cb0720c5c394b407c23570136c53171fa55nvdIssue TrackingPatchVendor Advisory
d3adend.org/blog/nvdIssue TrackingThird Party Advisory
seclists.org/fulldisclosure/2014/Mar/30nvdMailing ListThird Party Advisory
www.securityfocus.com/bid/65959nvdThird Party AdvisoryVDB Entry
exchange.xforce.ibmcloud.com/vulnerabilities/91560nvdIssue TrackingThird Party AdvisoryVDB Entry
www.securityfocus.com/archive/1/531334/100/0/threadednvd
mail-archives.apache.org/mod_mbox/cordova-dev/201403.mbox/%3CCAK_TSXLGJag5Q9ATUCbFtkWvMWX9XnC80kKp-HKi25gPcvV4gw%40mail.gmail.com%3Envd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.009
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000