NebulousLabs/Sia-UI

A UI application for interfacing with Sia.
Vulnerabilities 4 via 4 paths
Dependencies 205
Source GitHub
Commit cd7e221b

Find, fix and prevent vulnerabilities in your code.

Severity
  • 4
Status
  • 4
  • 0
  • 0
high severity

Arbitrary Code Execution

  • Vulnerable module: electron
  • Introduced through: electron@2.0.2

Detailed paths

  • Introduced through: Sia-UI@NebulousLabs/Sia-UI#cd7e221b98fc7a395de25bd8dfaa4f4de2a6e3d2 electron@2.0.2
    Remediation: Upgrade to electron@2.0.17.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Arbitrary Code Execution. Opening a BrowserView with sandbox: true or nativeWindowOpen: true and nodeIntegration: false results in a webContents where window.open() can be called and the newly opened child will have nodeIntegration enabled.

Remediation

Upgrade electron to version 2.0.17, 3.0.15, 3.1.3, 4.0.4, 5.0.0-beta.2 or higher.

If for some reason you are unable to upgrade your Electron version, you can mitigate this issue by disabling all child web contents: view.webContents.on('-add-new-contents', e => e.preventDefault());

References

high severity

Arbitrary Code Execution

  • Vulnerable module: electron
  • Introduced through: electron@2.0.2

Detailed paths

  • Introduced through: Sia-UI@NebulousLabs/Sia-UI#cd7e221b98fc7a395de25bd8dfaa4f4de2a6e3d2 electron@2.0.2
    Remediation: Upgrade to electron@5.0.0.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Arbitrary Code Execution due to Node being enabled in a webview because the default values of nodeIntegration and webviewTag were set to true when they where undefined by a user. The fix allows users to prevent Node and webview being enabled, when undefined, by setting the default values of nodeIntegration and webviewTag to false.

Remediation

Upgrade electron to version 5.0.0-beta.1 or higher.

References

high severity

Arbitrary Code Execution

  • Vulnerable module: electron
  • Introduced through: electron@2.0.2

Detailed paths

  • Introduced through: Sia-UI@NebulousLabs/Sia-UI#cd7e221b98fc7a395de25bd8dfaa4f4de2a6e3d2 electron@2.0.2
    Remediation: Upgrade to electron@2.0.8.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Arbitrary Code Execution. Note: This vulnerability affects only users who embed any remote user content, even in a sandbox and accept user input with any XSS vulnerabilities.

Remediation

Upgrade electron to version 1.7.16, 1.8.8, 2.0.8, 3.0.0-beta.7 or higher.

References

high severity

Use After Free

  • Vulnerable module: electron
  • Introduced through: electron@2.0.2

Detailed paths

  • Introduced through: Sia-UI@NebulousLabs/Sia-UI#cd7e221b98fc7a395de25bd8dfaa4f4de2a6e3d2 electron@2.0.2
    Remediation: Upgrade to electron@2.0.18.

Overview

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Chromium FileReader.

Note: This vulnerability affects all software based on Chromium, including Electron.

Remediation

Upgrade electron to version 2.0.18, 3.0.16, 3.1.6, 4.0.8 or higher.

References