Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1085 A vulnerability has been identified in Adobe PhoneGap Push Plugin 11 April 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Adobe PhoneGap Push Plugin Publisher: Adobe Operating System: Android Apple iOS Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-4943 Original Bulletin: https://helpx.adobe.com/security/products/phonegap/apsb18-15.html - --------------------------BEGIN INCLUDED TEXT-------------------- Adobe Security Bulletin Applies to: PhoneGap Build Last Published: April 11, 2018 Security update available for the Adobe PhoneGap Push Plugin | APSB18-15 +-------------------------+--------------------------------+------------------+ |Bulletin ID |Date Published |Priority | +-------------------------+--------------------------------+------------------+ |APSB18-15 |April 10, 2018 |3 | +-------------------------+--------------------------------+------------------+ Summary Adobe has released an update for the Adobe PhoneGap Push plugin. This update resolves a Same-Origin Method Execution (SOME) vulnerability (CVE-2018-4943) that exists in PhoneGap apps built with the affected version of the Push plugin. This vulnerability could be exploited to trick users of PhoneGap apps into executing click events and other unintended user interactions. Affected Versions +----------------------+----------------------+----------------------+ | Product | Affected Versions | Platform | +----------------------+----------------------+----------------------+ |Adobe PhoneGap Push |1.8.0 earlier versions|All | |plugin | | | +----------------------+----------------------+----------------------+ Solution Adobe categorizes this update with the following priority rating and recommends users update their installations to the newest versions: +-------------------------+--------------+--------+--------------+------------+ | Product | Updated |Platform| Priority |Availability| | | Version | | rating | | +-------------------------+--------------+--------+--------------+------------+ |Adobe PhoneGap Push |2.1.0 |All |3 |Github | |plugin | | | | | +-------------------------+--------------+--------+--------------+------------+ Note: After updating to the latest version of the plugin, application authors should recompile any apps built with PhoneGap using the new plugin. Vulnerability Details +--------------+-----------------------------+---------+----------------------+ |Vulnerability | Vulnerability Impact |Severity | CVE Numbers | | Category | | | | +--------------+-----------------------------+---------+----------------------+ |Same-Origin |JavaScript code execution in | | | |Method |the context of the PhoneGap |Important|CVE-2018-4943 | |Execution |app | | | +--------------+-----------------------------+---------+----------------------+ Acknowledgements Adobe would like to thank Juho Nurminen of 2NS - Second Nature Security Oy (CVE-2018-4943) for reporting this issue and for working with Adobe to help protect our customers. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWs1b4Yx+lLeg9Ub1AQhOzw//R5SHlpXjD6QTGOovBOXG2RZXjtsNpwPn LKIRxP/pZkY3xaPxLowovBP1X11BhUaYqgEc6976XjiRsBPn5MHWWm39HqUz8V3U 5tcuiaiIITlHfanY0rd6zX+tIYtbpZWuCzEoIhmW4+nu2MqpuA0FMhIgUI993+yu 7n/EfhZ2+2ftzhU9gkAONRsi+/ffDM/nZq+4T3rkoxaWqlqZvkntom7AKcFsH9a0 Y0XvJ/b/gg34RYKkDPoDIRo/Vd/0aEsjQo13wUFuqXGzM0l30+gmsA/u6zoanNvP sksBsNW7HCfYgD66J/nYlOLjaG/xPy+QEZsn6mgKbxXphHwPmVcxjMDGxWKdKfiD BGZAJZxJ55Go2vck9HXHxFZ8sY+lZUj72KTMNRYgLlVJS5l1skA+0lx040b4clmM 9lXkuDHFFknNdeTd02XIDvosaVqquzgSG4vIWCixT8yr+HxmQvRLCNi+OLqjfjvk XZHpESji7mSG3Qu4kueb906SncXJaRWEZAv8BUMqGHCcr7v5qzE7NJ6NjyTGngaS GAWzn1rhThzrM9Eh/sMv0/HpVNiH2+REdlNuRwPqY9pDUdHjPs7oVyS7Fc1sUCgM ztV5sf7IF3JeSAiM0YWlPyu4cWSE3jvynziCDlR0CwFxMWoZrqkAMQpTyzjhofxK bqkwsgVvZ+s= =4+oK -----END PGP SIGNATURE-----