2020-11-30-cve-2020-11990
diff --git a/www/_posts/2020-11-30-cve-2020-11990.md b/www/_posts/2020-11-30-cve-2020-11990.md
new file mode 100644
index 0000000..9ca5d35
--- /dev/null
+++ b/www/_posts/2020-11-30-cve-2020-11990.md
@@ -0,0 +1,52 @@
+
+---
+layout: post
+author:
+ name: Jesse MacFadyen
+title: "Security Advisory CVE-2020-11990"
+categories: news
+tags: security advisory
+---
+
+We have resolved a security issue in the camera plugin that could have affected certain Cordova (Android) applications.
+
+__CVE-2020-11990:__ Apache Cordova Plugin camera vulnerable to information disclosure
+
+__Type of Vulnerability:__
+
+CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
+
+__Severity:__ Low
+
+__Vendor:__ The Apache Software Foundation
+
+__Possible attackers condition:__
+
+An attacker who can install (or lead the victim to install) the specially crafted (or malicious) Android application. Android documentation describes the external cache location as application specific, however,
+_"There is no security enforced with these files. For example, any application holding Manifest.permission.WRITE_EXTERNAL_STORAGE can write to these files."_
+( and thereby read )
+
+__Possible victims:__
+
+Android users that take pictures with an Apache Cordova based application and attached removable storage.
+
+__Possible Impacts:__
+
+- Confidentiality is breached.
+- The image file (photo) taken by the Android apps that was developed using the Apache Cordova camera plugin will be disclosed.
+
+__Versions Affected:__
+
+Cordova Android applications using the Camera plugin
+
+( cordova-plugin-camera version 4.1.0 and below )
+
+__Upgrade path:__
+
+Developers who are concerned about this issue should install version 5.0.0 or higher of cordova-plugin-camera
+
+__Mitigation Steps:__
+
+Upgrade plugin and rebuild application, update deployments.
+
+__Credit:__ JPCERT/CC Vulnerability Coordination Group. (JVN#59779918)
\ No newline at end of file
