CVE-2023-2507

CleverTap Cordova Plugin version 2.6.2 allows a remote attacker to execute JavaScript code in any application that is opened via a specially constructed deeplink by an attacker. This is possible because the plugin does not correctly validate the data coming from the deeplinks before using them.

CVSS v3 9.3 CRITICAL

9.3^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.8 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://fluidattacks.com/advisories/maiden/	Exploit Third Party Advisory
https://github.com/CleverTap/clevertap-cordova	Product
https://github.com/CleverTap/clevertap-cordova/releases/tag/2.7.0
https://fluidattacks.com/advisories/maiden/	Exploit Third Party Advisory
https://github.com/CleverTap/clevertap-cordova	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:clevertap:clevertap:2.6.2:*:*:*:*:cordova:*:*

History

24 Sep 2025, 14:15

Type	Values Removed	Values Added
Summary	(en) CleverTap Cordova Plugin version 2.6.2 allows a remote attacker to execute JavaScript code in any application that is opened via a specially constructed deeplink by an attacker. This is possible because the plugin does not correctly validate the data coming from the deeplinks before using them.	(en) CleverTap Cordova Plugin version 2.6.2 allows a remote attacker to execute JavaScript code in any application that is opened via a specially constructed deeplink by an attacker. This is possible because the plugin does not correctly validate the data coming from the deeplinks before using them.
References		() https://github.com/CleverTap/clevertap-cordova/releases/tag/2.7.0 -

Information

Published : 2023-07-15 19:15

Updated : 2025-09-24 14:15

NVD link : CVE-2023-2507

Mitre link : CVE-2023-2507

CVE.ORG link : CVE-2023-2507

JSON object : View

Products Affected

clevertap

clevertap

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-2507", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "help@fluidattacks.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2023-07-15T19:15:09.527", "references": [{"url": "https://fluidattacks.com/advisories/maiden/", "tags": ["Exploit", "Third Party Advisory"], "source": "help@fluidattacks.com"}, {"url": "https://github.com/CleverTap/clevertap-cordova", "tags": ["Product"], "source": "help@fluidattacks.com"}, {"url": "https://github.com/CleverTap/clevertap-cordova/releases/tag/2.7.0", "source": "help@fluidattacks.com"}, {"url": "https://fluidattacks.com/advisories/maiden/", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/CleverTap/clevertap-cordova", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "help@fluidattacks.com", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "CleverTap Cordova Plugin version 2.6.2 allows a remote attacker to execute JavaScript code in any application that is opened via a specially constructed deeplink by an attacker.\n\nThis is possible because the plugin does not correctly validate the data coming from the deeplinks before using them."}], "lastModified": "2025-09-24T14:15:46.170", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:clevertap:clevertap:2.6.2:*:*:*:*:cordova:*:*", "vulnerable": true, "matchCriteriaId": "2EEC3FB3-3FF2-40BB-B1E0-BC257CAE38D6"}], "operator": "OR"}]}], "sourceIdentifier": "help@fluidattacks.com"}