CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39698 – Code Signing Bypass on Windows in electron-updater < 6.3.0-alpha.6
https://notcve.org/view.php?id=CVE-2024-39698
electron-updater allows for automatic updates for Electron apps. The file `packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts` implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by `cmd.exe` expands any environment variable found in command-line above. This creates a situation where `verifySignature()` can be tricked into validating the certificate of a different file than the one that was just downloaded. If the step is successful, the malicious update will be executed even if its signature is invalid. • https://github.com/electron-userland/electron-builder/blob/140e2f0eb0df79c2a46e35024e96d0563355fc89/packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts#L35-L41 https://github.com/electron-userland/electron-builder/commit/ac2e6a25aa491c1ef5167a552c19fc2085cd427f https://github.com/electron-userland/electron-builder/pull/8295 https://github.com/electron-userland/electron-builder/security/advisories/GHSA-9jxc-qjr9-vjxq • CWE-154: Improper Neutralization of Variable Name Delimiters •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27303 – electron-builder's NSIS installer - execute arbitrary code on the target machine (Windows only)
https://notcve.org/view.php?id=CVE-2024-27303
electron-builder is a solution to package and build a ready for distribution Electron, Proton Native app for macOS, Windows and Linux. A vulnerability that only affects eletron-builder prior to 24.13.2 in Windows, the NSIS installer makes a system call to open cmd.exe via NSExec in the `.nsh` installer script. NSExec by default searches the current directory of where the installer is located before searching `PATH`. This means that if an attacker can place a malicious executable file named cmd.exe in the same folder as the installer, the installer will run the malicious file. Version 24.13.2 fixes this issue. • https://github.com/electron-userland/electron-builder/commit/8f4acff3c2d45c1cb07779bb3fe79644408ee387 https://github.com/electron-userland/electron-builder/pull/8059 https://github.com/electron-userland/electron-builder/security/advisories/GHSA-r4pf-3v7r-hh55 • CWE-426: Untrusted Search Path CWE-427: Uncontrolled Search Path Element •
CVSS: 2.6EPSS: 0%CPEs: 1EXPL: 0CVE-2006-1903
https://notcve.org/view.php?id=CVE-2006-1903
Multiple cross-site scripting (XSS) vulnerabilities in UserLand Manila allow remote attackers to inject arbitrary web script or HTML (1) via the referer parameter in sendMail, and via attributes of (2) the A element and certain other HTML elements in web pages edited with the editInBrowser module. NOTE: the msgReader$1 mode attack vector is already covered by CVE-2006-1769. • http://www.securityfocus.com/archive/1/431058/100/0/threaded http://www.securityfocus.com/bid/17563 http://www.securityfocus.com/bid/17565 •
CVSS: 6.8EPSS: 5%CPEs: 2EXPL: 1CVE-2006-1769
https://notcve.org/view.php?id=CVE-2006-1769
Multiple cross-site scripting (XSS) vulnerabilities in UserLand Manila 9.5 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the mode parameter in msgReader$1 and (2) the end of the URI in viewDepartment$. • http://secunia.com/advisories/19636 http://securityreason.com/securityalert/692 http://www.osvdb.org/24554 http://www.securityfocus.com/archive/1/430668/100/0/threaded http://www.securityfocus.com/bid/17475 https://exchange.xforce.ibmcloud.com/vulnerabilities/25753 •