CVE-2018-1000136

Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:2.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:electronjs:electron:2.0.0:beta4:*:*:*:*:*:*

History

21 Nov 2024, 03:39

Type Values Removed Values Added
References () https://www.electronjs.org/blog/webview-fix - Mitigation, Patch, Vendor Advisory () https://www.electronjs.org/blog/webview-fix - Mitigation, Patch, Vendor Advisory
References () https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass/ - Exploit, Third Party Advisory () https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass/ - Exploit, Third Party Advisory

Information

Published : 2018-03-23 19:29

Updated : 2024-11-21 03:39


NVD link : CVE-2018-1000136

Mitre link : CVE-2018-1000136

CVE.ORG link : CVE-2018-1000136


JSON object : View

Products Affected

electronjs

  • electron
CWE
CWE-20

Improper Input Validation