CVSS: 6.8EPSS: 0%CPEs: 24EXPL: 0CVE-2020-15096 – Context isolation bypass via Promise in Electron
https://notcve.org/view.php?id=CVE-2020-15096
07 Jul 2020 — In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21. En Electron antes de las versiones 6.1.1, 7.2.4, 8.2.4 y 9.0.0-b... • https://github.com/electron/electron/security/advisories/GHSA-6vrv-94jv-crrg • CWE-501: Trust Boundary Violation •
CVSS: 7.5EPSS: 0%CPEs: 23EXPL: 0CVE-2020-4075 – Arbitrary file read via window-open IPC in Electron
https://notcve.org/view.php?id=CVE-2020-4075
07 Jul 2020 — In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not something you expect. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4. En Electron antes de las versiones 7.2.4, 8.2.4 y 9.0.0-beta21, una lectura arbitraria de archivos locales es posible al definir opc... • https://github.com/electron/electron/security/advisories/GHSA-f9mq-jph6-9mhm • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 9.0EPSS: 0%CPEs: 23EXPL: 0CVE-2020-4076 – Context isolation bypass via leaked cross-context objects in Electron
https://notcve.org/view.php?id=CVE-2020-4076
07 Jul 2020 — In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4. En Electron antes de las versiones 7.2.4, 8.2.4 y 9.0.0-beta21, se presenta una omisión de aislamiento de contexto. • https://github.com/electron/electron/security/advisories/GHSA-m93v-9qjc-3g79 • CWE-501: Trust Boundary Violation •
CVSS: 9.9EPSS: 0%CPEs: 23EXPL: 0CVE-2020-4077 – Context isolation bypass via contextBridge in Electron
https://notcve.org/view.php?id=CVE-2020-4077
07 Jul 2020 — In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both `contextIsolation` and `contextBridge` are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4. En Electron antes de las versiones 7.2.4, 8.2.4 y 9.0.0-beta21, se presenta una omisión de aislamiento de contexto. • https://github.com/electron/electron/security/advisories/GHSA-h9jc-284h-533g • CWE-501: Trust Boundary Violation •