CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-25908
https://notcve.org/view.php?id=CVE-2022-25908
All versions of the package create-choo-electron are vulnerable to Command Injection via the devInstall function due to improper user-input sanitization. Todas las versiones del paquete create-choo-electron son vulnerables a la inyección de comandos a través de la función devInstall debido a una sanitización inadecuada de la entrada del usuario. • https://security.snyk.io/vuln/SNYK-JS-CREATECHOOELECTRON-3157953 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2016-10534
https://notcve.org/view.php?id=CVE-2016-10534
electron-packager is a command line tool that packages Electron source code into `.app` and `.exe` packages. along with Electron. The `--strict-ssl` command line option in electron-packager >= 5.2.1 <= 6.0.0 || >=6.0.0 <= 6.0.2 defaults to false if not explicitly set to true. This could allow an attacker to perform a man in the middle attack. electron-packager es una herramienta de línea de comandos que empaqueta código fuente Electron en los paquetes ".app" y ".exe" junto con Electron. La opción de línea de comandos "--strict-ssl" en electron-packager desde la versión 5.2.1 hasta la 6.0.0 y desde la versión 6.0.0 hasta la 6.0.2 se establece en false por defecto si no se marca como true explícitamente. Esto podría permitir que un atacante realice ataques Man-in-the-Middle (MitM). • https://github.com/electron-userland/electron-packager/issues/333 https://nodesecurity.io/advisories/104 • CWE-295: Improper Certificate Validation •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 2CVE-2017-12581
https://notcve.org/view.php?id=CVE-2017-12581
GitHub Electron before 1.6.8 allows remote command execution because of a nodeIntegration bypass vulnerability. This also affects all applications that bundle Electron code equivalent to 1.6.8 or earlier. Bypassing the Same Origin Policy (SOP) is a precondition; however, recent Electron versions do not have strict SOP enforcement. Combining an SOP bypass with a privileged URL internally used by Electron, it was possible to execute native Node.js primitives in order to run OS commands on the user's host. Specifically, a chrome-devtools://devtools/bundled/inspector.html window could be used to eval a Node.js child_process.execFile API call. • https://blog.doyensec.com/2017/08/03/electron-framework-security.html https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •