CVE-2018-1000136
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.
Electron, en versiones desde la 1.7 hasta la 1.7.12, desde la 1.8 hasta la 1.8.3 y desde la 2.0.0 hasta la 2.0.0-beta.3, contiene una vulnerabilidad de gestión incorrecta de valores en Webviews que puede dar como resultado la ejecución remota de código. Parece que este ataque puede ser explotable mediante una app que permite la ejecución de código de terceros, no acepta la integración de nodos y no especifica si la vista web está habilitada o deshabilitada. Esta vulnerabilidad parece haber sido solucionada en las versiones 1.7.13, 1.8.4, 2.0.0-beta.4.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-03-21 CVE Reserved
- 2018-03-23 CVE Published
- 2024-06-26 EPSS Updated
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass | 2024-08-05 |
| URL | Date | SRC |
|---|---|---|
| https://www.electronjs.org/blog/webview-fix | 2019-10-03 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Electronjs Search vendor "Electronjs" | Electron Search vendor "Electronjs" for product "Electron" | >= 1.7.0 <= 1.7.12 Search vendor "Electronjs" for product "Electron" and version " >= 1.7.0 <= 1.7.12" | - |
Affected
| ||||||
| Electronjs Search vendor "Electronjs" | Electron Search vendor "Electronjs" for product "Electron" | > 1.8.0 <= 1.8.3 Search vendor "Electronjs" for product "Electron" and version " > 1.8.0 <= 1.8.3" | - |
Affected
| ||||||
| Electronjs Search vendor "Electronjs" | Electron Search vendor "Electronjs" for product "Electron" | 2.0.0 Search vendor "Electronjs" for product "Electron" and version "2.0.0" | - |
Affected
| ||||||
| Electronjs Search vendor "Electronjs" | Electron Search vendor "Electronjs" for product "Electron" | 2.0.0 Search vendor "Electronjs" for product "Electron" and version "2.0.0" | beta1 |
Affected
| ||||||
| Electronjs Search vendor "Electronjs" | Electron Search vendor "Electronjs" for product "Electron" | 2.0.0 Search vendor "Electronjs" for product "Electron" and version "2.0.0" | beta2 |
Affected
| ||||||
| Electronjs Search vendor "Electronjs" | Electron Search vendor "Electronjs" for product "Electron" | 2.0.0 Search vendor "Electronjs" for product "Electron" and version "2.0.0" | beta3 |
Affected
| ||||||
| Electronjs Search vendor "Electronjs" | Electron Search vendor "Electronjs" for product "Electron" | 2.0.0 Search vendor "Electronjs" for product "Electron" and version "2.0.0" | beta4 |
Affected
| ||||||