4 results (0.003 seconds)

CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0

Tauri is a framework for building binaries for all major desktop platforms. Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the `dangerousRemoteDomainIpcAccess` in v1 and in the `capabilities` in v2. Valid commands with potentially unwanted consequences ("delete project", "transfer credits", etc.) could be invoked by an attacker that controls the content of an iframe running inside a Tauri app. This vulnerability has been patched in versions 1.6.7 and 2.0.0-beta.19. Tauri es un framework para crear archivos binarios para las principales plataformas de escritorio. • https://github.com/tauri-apps/tauri/issues/8316 https://github.com/tauri-apps/tauri/security/advisories/GHSA-57fm-592m-34r7 • CWE-284: Improper Access Control •

CVSS: 8.4EPSS: 0%CPEs: 16EXPL: 0

Tauri is a framework for building binaries for all major desktop platforms. This advisory is not describing a vulnerability in the Tauri code base itself but a commonly used misconfiguration which could lead to leaking of the private key and updater key password into bundled Tauri applications using the Vite frontend in a specific configuration. The Tauri documentation used an insecure example configuration in the `Vite guide` to showcase how to use Tauri together with Vite. Copying the following snippet `envPrefix: ['VITE_', 'TAURI_'],` from this guide into the `vite.config.ts` of a Tauri project leads to bundling the `TAURI_PRIVATE_KEY` and `TAURI_KEY_PASSWORD` into the Vite frontend code and therefore leaking this value to the released Tauri application. Using the `envPrefix: ['VITE_'],` or any other framework than Vite means you are not impacted by this advisory. • https://github.com/tauri-apps/tauri/security/advisories/GHSA-2rcp-jvr4-r259 https://tauri.app/v1/guides/getting-started/setup/vite • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •

CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0

Tauri is software for building applications for multi-platform deployment. The Tauri IPC is usually strictly isolated from external websites, but in versions 1.0.0 until 1.0.9, 1.1.0 until 1.1.4, and 1.2.0 until 1.2.5, the isolation can be bypassed by redirecting an existing Tauri window to an external website. This is either possible by an application implementing a feature for users to visit arbitrary websites or due to a bug allowing the open redirect. This allows the external website access to the IPC layer and therefore to all configured and exposed Tauri API endpoints and application specific implemented Tauri commands. This issue has been patched in versions 1.0.9, 1.1.4, and 1.2.5. • https://github.com/tauri-apps/tauri/releases/tag/tauri-v1.0.9 https://github.com/tauri-apps/tauri/releases/tag/tauri-v1.1.4 https://github.com/tauri-apps/tauri/releases/tag/tauri-v1.2.5 https://github.com/tauri-apps/tauri/security/advisories/GHSA-4wm2-cwcf-wwvp https://www.github.com/tauri-apps/tauri/commit/58ea0b45268dbd46cbac0ebb0887353d057ca767 https://www.github.com/tauri-apps/tauri/commit/fa90214b052b1a5d38d54fbf1ca422b4c37cfd1f • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 7.7EPSS: 0%CPEs: 5EXPL: 1

Tauri is a framework for building binaries for all major desktop platforms. The filesystem glob pattern wildcards `*`, `?`, and `[...]` match file path literals and leading dots by default, which unintentionally exposes sub folder content of allowed paths. Scopes without the wildcards are not affected. As `**` allows for sub directories the behavior there is also as expected. • https://github.com/tauri-apps/tauri/commit/72389b00d7b495ffd7750eb1e75a3b8537d07cf3 https://github.com/tauri-apps/tauri/commit/f0602e7c294245ab6ef6fbf2a976ef398340ef58 https://github.com/tauri-apps/tauri/security/advisories/GHSA-6mv3-wm7j-h4w5 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •