CVSS: 6.8EPSS: 0%CPEs: 100EXPL: 0CVE-2020-15215 – Context isolation bypass in Electron
https://notcve.org/view.php?id=CVE-2020-15215
06 Oct 2020 — Electron before versions 11.0.0-beta.6, 10.1.2, 9.3.1 or 8.5.2 is vulnerable to a context isolation bypass. Apps using both `contextIsolation` and `sandbox: true` are affected. Apps using both `contextIsolation` and `nodeIntegrationInSubFrames: true` are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Electron anteriores a las versiones 11.0.0-beta.6, 10.1.2, 9.3.1 o... • https://github.com/electron/electron/security/advisories/GHSA-56pc-6jqp-xqj8 • CWE-668: Exposure of Resource to Wrong Sphere CWE-693: Protection Mechanism Failure •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-15174 – Unpreventable top-level navigation in Electron
https://notcve.org/view.php?id=CVE-2020-15174
06 Oct 2020 — In Electron before versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 the `will-navigate` event that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites. The issue is patched in versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 As a workaround sandbox all your iframes using the sandbox attribute. This will prevent them creating top-frame navigations and is good practice anyway. En Electron anter... • https://github.com/electron/electron/commit/18613925610ba319da7f497b6deed85ad712c59b • CWE-20: Improper Input Validation CWE-693: Protection Mechanism Failure •
CVSS: 6.8EPSS: 0%CPEs: 24EXPL: 0CVE-2020-15096 – Context isolation bypass via Promise in Electron
https://notcve.org/view.php?id=CVE-2020-15096
07 Jul 2020 — In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21. En Electron antes de las versiones 6.1.1, 7.2.4, 8.2.4 y 9.0.0-b... • https://github.com/electron/electron/security/advisories/GHSA-6vrv-94jv-crrg • CWE-501: Trust Boundary Violation •
CVSS: 7.5EPSS: 0%CPEs: 23EXPL: 0CVE-2020-4075 – Arbitrary file read via window-open IPC in Electron
https://notcve.org/view.php?id=CVE-2020-4075
07 Jul 2020 — In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not something you expect. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4. En Electron antes de las versiones 7.2.4, 8.2.4 y 9.0.0-beta21, una lectura arbitraria de archivos locales es posible al definir opc... • https://github.com/electron/electron/security/advisories/GHSA-f9mq-jph6-9mhm • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 9.0EPSS: 0%CPEs: 23EXPL: 0CVE-2020-4076 – Context isolation bypass via leaked cross-context objects in Electron
https://notcve.org/view.php?id=CVE-2020-4076
07 Jul 2020 — In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4. En Electron antes de las versiones 7.2.4, 8.2.4 y 9.0.0-beta21, se presenta una omisión de aislamiento de contexto. • https://github.com/electron/electron/security/advisories/GHSA-m93v-9qjc-3g79 • CWE-501: Trust Boundary Violation •
CVSS: 9.9EPSS: 0%CPEs: 23EXPL: 0CVE-2020-4077 – Context isolation bypass via contextBridge in Electron
https://notcve.org/view.php?id=CVE-2020-4077
07 Jul 2020 — In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both `contextIsolation` and `contextBridge` are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4. En Electron antes de las versiones 7.2.4, 8.2.4 y 9.0.0-beta21, se presenta una omisión de aislamiento de contexto. • https://github.com/electron/electron/security/advisories/GHSA-h9jc-284h-533g • CWE-501: Trust Boundary Violation •
CVSS: 8.1EPSS: 13%CPEs: 4EXPL: 2CVE-2018-15685 – Electron WebPreferences - Remote Code Execution
https://notcve.org/view.php?id=CVE-2018-15685
23 Aug 2018 — GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a WebPreferences vulnerability that can be leveraged to perform remote code execution. GitHub Electron 1.7.15, 1.8.7, 2.0.7, y 3.0.0-beta.6, en determinados escenarios que incluyen elementos de IFRAME y opciones "nativeWindowOpen: true" o "sandbox: true", se ve afectado por una vulnerabilidad de WebPreferences que puede aprovecharse pa... • https://packetstorm.news/files/id/149116 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 9.8EPSS: 2%CPEs: 1EXPL: 0CVE-2017-16151
https://notcve.org/view.php?id=CVE-2017-16151
07 Jun 2018 — Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the [sandbox option](https://electron.atom.io/docs/api/sandbox-option) is enabled. En base a los detalles proporcionados por el equipo ElectronJS, se ha descubierto una vulnerabilidad de ejecución remota de código en Google Chromium que afect... • https://electron.atom.io/blog/2017/09/27/chromium-rce-vulnerability-fix • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.1EPSS: 1%CPEs: 7EXPL: 1CVE-2018-1000136
https://notcve.org/view.php?id=CVE-2018-1000136
23 Mar 2018 — Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4. Electron, en versiones desde la 1.7 hasta la 1.7.12, desde la 1.8 hasta ... • https://www.electronjs.org/blog/webview-fix • CWE-20: Improper Input Validation •
CVSS: 9.3EPSS: 4%CPEs: 5EXPL: 0CVE-2018-1000118
https://notcve.org/view.php?id=CVE-2018-1000118
07 Mar 2018 — Github Electron version Electron 1.8.2-beta.4 and earlier contains a Command Injection vulnerability in Protocol Handler that can result in command execute. This attack appear to be exploitable via the victim opening an electron protocol handler in their browser. This vulnerability appears to have been fixed in Electron 1.8.2-beta.5. This issue is due to an incomplete fix for CVE-2018-1000006, specifically the black list used was not case insensitive allowing an attacker to potentially bypass it. Github Ele... • https://electronjs.org/releases#1.8.2-beta.5 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •