Page 2 of 9 results (0.004 seconds)

CVSS: 9.8EPSS: 0%CPEs: 26EXPL: 0

Electron is a framework for writing cross-platform desktop applications using JavaScript (JS), HTML, and CSS. A vulnerability in versions prior to 18.0.0-beta.6, 17.2.0, 16.2.6, and 15.5.5 allows a renderer with JS execution to obtain access to a new renderer process with `nodeIntegrationInSubFrames` enabled which in turn allows effective access to `ipcRenderer`. The `nodeIntegrationInSubFrames` option does not implicitly grant Node.js access. Rather, it depends on the existing sandbox setting. If an application is sandboxed, then `nodeIntegrationInSubFrames` just gives access to the sandboxed renderer APIs, which include `ipcRenderer`. • https://github.com/electron/electron/security/advisories/GHSA-mq8j-3h7h-p8g7 • CWE-668: Exposure of Resource to Wrong Sphere •

CVSS: 5.0EPSS: 0%CPEs: 9EXPL: 0

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom `select-bluetooth-device` event handler. This has been patched and Electron versions `17.0.0-alpha.6`, `16.0.6`, `15.3.5`, `14.2.4`, and `13.6.6` contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue. Electron es un marco de trabajo para escribir aplicaciones de escritorio multiplataforma usando JavaScript, HTML y CSS. • https://github.com/electron/electron/pull/32178 https://github.com/electron/electron/pull/32240 https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749 • CWE-668: Exposure of Resource to Wrong Sphere CWE-862: Missing Authorization •

CVSS: 6.8EPSS: 0%CPEs: 24EXPL: 0

In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21. En Electron antes de las versiones 6.1.1, 7.2.4, 8.2.4 y 9.0.0-beta21, se presenta una omisión de aislamiento de contexto, quiere decir que el código que se ejecuta en el contexto mundial principal en el renderizador puede alcanzar el contexto de Electron aislado y llevar a cabo acciones privilegiadas. • https://github.com/electron/electron/security/advisories/GHSA-6vrv-94jv-crrg https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824 • CWE-501: Trust Boundary Violation •

CVSS: 8.1EPSS: 2%CPEs: 4EXPL: 1

GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a WebPreferences vulnerability that can be leveraged to perform remote code execution. GitHub Electron 1.7.15, 1.8.7, 2.0.7, y 3.0.0-beta.6, en determinados escenarios que incluyen elementos de IFRAME y opciones "nativeWindowOpen: true" o "sandbox: true", se ve afectado por una vulnerabilidad de WebPreferences que puede aprovecharse para realizar la ejecución remota de código. Electron WebPreferences suffers from a remote code execution vulnerability. Versions affected include 3.0.0-beta.6, 2.0.7, 1.8.7, and 1.7.15. • https://www.exploit-db.com/exploits/45272 https://electronjs.org/blog/web-preferences-fix • CWE-1188: Initialization of a Resource with an Insecure Default •