Medium severity5.3NVD Advisory· Published Oct 27, 2017· Updated May 13, 2026

CVE-2015-1835

Description

Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL.

Affected products

Apache/Cordova3 versions
cpe:2.3:a:apache:cordova:4.0.0:*:*:*:*:android:*:*+ 2 more
- cpe:2.3:a:apache:cordova:4.0.0:*:*:*:*:android:*:*
- cpe:2.3:a:apache:cordova:4.0.1:*:*:*:*:android:*:*
- cpe:2.3:a:apache:cordova:*:*:*:*:*:android:*:*range: <=3.7.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-apache-vulnerability-that-allows-one-click-modification-of-android-apps/nvdExploitTechnical DescriptionThird Party Advisory
www.securityfocus.com/bid/74866nvdThird Party AdvisoryVDB Entry
cordova.apache.org/announcements/2015/05/26/android-402.htmlnvdRelease NotesVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000