Login Sign Up

CVE-2023-2507

9.3 CRITICAL
Cross-Site Scripting

📋 TL;DR

This vulnerability in CleverTap Cordova Plugin allows remote attackers to execute arbitrary JavaScript code in applications that open specially crafted deeplinks. Attackers can exploit improper validation of deeplink data to run malicious scripts in the context of affected mobile applications. All applications using vulnerable versions of the CleverTap Cordova Plugin are affected.

💻 Affected Systems

Products:
  • CleverTap Cordova Plugin
Versions: Versions up to and including 2.6.2
Operating Systems: Android, iOS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all applications using the vulnerable plugin version regardless of configuration.

📦 What is this software?

Clevertap by Clevertap

View all CVEs affecting Clevertap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of mobile application functionality, data theft, session hijacking, and potential device takeover through chained exploits.

🟠

Likely Case

Malicious JavaScript execution leading to data exfiltration, phishing attacks, or unauthorized actions within the application.

🟢

If Mitigated

Limited impact with proper input validation and deeplink sanitization in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction to open malicious deeplinks but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.0

Vendor Advisory: https://github.com/CleverTap/clevertap-cordova/releases/tag/2.7.0

Restart Required: Yes

Instructions:

1. Update CleverTap Cordova Plugin to version 2.7.0 or later. 2. Rebuild and redeploy your mobile application. 3. Test deeplink functionality after update.

🔧 Temporary Workarounds

Disable deeplink handling

all

Temporarily disable or restrict deeplink processing in the application.

Implement custom deeplink validation

all

Add additional validation layer for all incoming deeplinks before processing.

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to restrict JavaScript execution.
  • Monitor for suspicious deeplink patterns and block malicious URLs at network perimeter.

🔍 How to Verify

Check if Vulnerable:

Check package.json or plugin configuration for CleverTap Cordova Plugin version 2.6.2 or earlier.

Check Version:

cordova plugin list | grep clevertap-cordova

Verify Fix Applied:

Confirm CleverTap Cordova Plugin version is 2.7.0 or later in your application dependencies.

📡 Detection & Monitoring

Log Indicators:

  • Unusual deeplink patterns in application logs
  • JavaScript execution errors from unexpected sources

Network Indicators:

  • Requests to known malicious domains from mobile applications
  • Suspicious URL patterns in deeplink traffic

SIEM Query:

source="mobile_app_logs" AND (deeplink="*javascript:*" OR deeplink="*data:*")

📊 Metadata

CVE ID: CVE-2023-2507
CVSS v3 Score: 9.3 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-79
Published: July 15, 2023
Last Updated: September 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-2507, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)