CVE-2018-1000136
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.
Electron, en versiones desde la 1.7 hasta la 1.7.12, desde la 1.8 hasta la 1.8.3 y desde la 2.0.0 hasta la 2.0.0-beta.3, contiene una vulnerabilidad de gestión incorrecta de valores en Webviews que puede dar como resultado la ejecución remota de código. Parece que este ataque puede ser explotable mediante una app que permite la ejecución de código de terceros, no acepta la integración de nodos y no especifica si la vista web está habilitada o deshabilitada. Esta vulnerabilidad parece haber sido solucionada en las versiones 1.7.13, 1.8.4, 2.0.0-beta.4.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-03-21 CVE Reserved
- 2018-03-23 CVE Published
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- 2024-10-24 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
CAPEC
References (2)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass | 2024-08-05 |
URL | Date | SRC |
---|---|---|
https://www.electronjs.org/blog/webview-fix | 2019-10-03 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Electronjs Search vendor "Electronjs" | Electron Search vendor "Electronjs" for product "Electron" | >= 1.7.0 <= 1.7.12 Search vendor "Electronjs" for product "Electron" and version " >= 1.7.0 <= 1.7.12" | - |
Affected
| ||||||
Electronjs Search vendor "Electronjs" | Electron Search vendor "Electronjs" for product "Electron" | > 1.8.0 <= 1.8.3 Search vendor "Electronjs" for product "Electron" and version " > 1.8.0 <= 1.8.3" | - |
Affected
| ||||||
Electronjs Search vendor "Electronjs" | Electron Search vendor "Electronjs" for product "Electron" | 2.0.0 Search vendor "Electronjs" for product "Electron" and version "2.0.0" | - |
Affected
| ||||||
Electronjs Search vendor "Electronjs" | Electron Search vendor "Electronjs" for product "Electron" | 2.0.0 Search vendor "Electronjs" for product "Electron" and version "2.0.0" | beta1 |
Affected
| ||||||
Electronjs Search vendor "Electronjs" | Electron Search vendor "Electronjs" for product "Electron" | 2.0.0 Search vendor "Electronjs" for product "Electron" and version "2.0.0" | beta2 |
Affected
| ||||||
Electronjs Search vendor "Electronjs" | Electron Search vendor "Electronjs" for product "Electron" | 2.0.0 Search vendor "Electronjs" for product "Electron" and version "2.0.0" | beta3 |
Affected
| ||||||
Electronjs Search vendor "Electronjs" | Electron Search vendor "Electronjs" for product "Electron" | 2.0.0 Search vendor "Electronjs" for product "Electron" and version "2.0.0" | beta4 |
Affected
|