Arbitrary Code Execution
Affecting electron package, versions <5.0.0-beta.1
Report new vulnerabilities
Do your applications use this vulnerable package?
Test your applications
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Arbitrary Code Execution due to Node being enabled in a webview because the default values of nodeIntegration
and webviewTag
were set to true
when they where undefined by a user. The fix allows users to prevent Node and webview being enabled, when undefined, by setting the default values of nodeIntegration
and webviewTag
to false
.
Remediation
Upgrade electron
to version 5.0.0-beta.1 or higher.
References
CVSS Score
7.3
high severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityLow
-
IntegrityLow
-
AvailabilityLow
- Credit
- Unknown
- CWE
- CWE-453
- Snyk ID
- SNYK-JS-ELECTRON-483056
- Disclosed
- 07 Jan, 2019
- Published
- 11 Nov, 2019