MichMich/MagicMirror

The open source modular smart mirror platform.
Vulnerabilities 1 via 1 paths
Dependencies 261
Source GitHub
Commit 500147e1

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0
high severity
new

Arbitrary Code Execution

  • Vulnerable module: electron
  • Introduced through: electron@3.1.13

Detailed paths

  • Introduced through: magicmirror@MichMich/MagicMirror#500147e1300c544f99ebb63c6a8a2769e5f96f9b electron@3.1.13
    Remediation: Upgrade to electron@5.0.0.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Arbitrary Code Execution due to Node being enabled in a webview because the default values of nodeIntegration and webviewTag were set to true when they where undefined by a user. The fix allows users to prevent Node and webview being enabled, when undefined, by setting the default values of nodeIntegration and webviewTag to false.

Remediation

Upgrade electron to version 5.0.0-beta.1 or higher.

References