This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Electronjs First view 2018-03-07
Product Electron Last view 2020-10-06
Version Type Application
Update  
Edition  
Language  
Sofware Edition  
Target Software  
Target Hardware  
Other  

Activity : Overall

COMMON PLATFORM ENUMERATION: Repartition per Version

CPE Name Affected CVE
cpe:2.3:a:electronjs:electron:1.7.0:*:*:*:*:*:*:* 7
cpe:2.3:a:electronjs:electron:1.7.1:*:*:*:*:*:*:* 7
cpe:2.3:a:electronjs:electron:1.7.2:*:*:*:*:*:*:* 7
cpe:2.3:a:electronjs:electron:1.7.3:*:*:*:*:*:*:* 7
cpe:2.3:a:electronjs:electron:1.7.4:*:*:*:*:*:*:* 7
cpe:2.3:a:electronjs:electron:1.7.5:*:*:*:*:*:*:* 7
cpe:2.3:a:electronjs:electron:1.7.6:*:*:*:*:*:*:* 7
cpe:2.3:a:electronjs:electron:1.7.7:*:*:*:*:*:*:* 7
cpe:2.3:a:electronjs:electron:1.7.15:*:*:*:*:*:*:* 7
cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:* 7
cpe:2.3:a:electronjs:electron:*:*:*:*:*:*:*:* 7
cpe:2.3:a:electronjs:electron:1.8.1:*:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:1.8.2:beta.1:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:1.8.2:beta.2:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:1.8.2:beta.3:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:1.8.2:beta.4:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:1.7.8:*:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:1.7.9:*:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:1.7.10:*:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:1.7.11:*:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:1.7.12:*:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:1.7.8:*:*:*:*:node.js:*:* 6
cpe:2.3:a:electronjs:electron:9.0.0:-:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:9.0.0:beta1:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:9.0.0:beta10:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:9.0.0:beta11:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:9.0.0:beta12:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:9.0.0:beta13:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:9.0.0:beta14:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:9.0.0:beta15:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:9.0.0:beta16:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:9.0.0:beta17:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:9.0.0:beta18:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:9.0.0:beta19:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:9.0.0:beta2:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:9.0.0:beta20:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:9.0.0:beta3:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:9.0.0:beta4:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:9.0.0:beta5:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:9.0.0:beta6:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:9.0.0:beta7:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:9.0.0:beta8:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:9.0.0:beta9:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:8.0.0:-:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:8.0.0:beta0:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:8.0.0:beta1:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:8.0.0:beta2:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:8.0.0:beta3:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:8.0.0:beta4:*:*:*:*:*:* 6
cpe:2.3:a:electronjs:electron:8.0.0:beta5:*:*:*:*:*:* 6

Related : CVE

  Date Alert Description
5.6 2020-10-06 CVE-2020-15215

Electron before versions 11.0.0-beta.6, 10.1.2, 9.3.1 or 8.5.2 is vulnerable to a context isolation bypass. Apps using both `contextIsolation` and `sandbox: true` are affected. Apps using both `contextIsolation` and `nodeIntegrationInSubFrames: true` are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

7.5 2020-10-06 CVE-2020-15174

In Electron before versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 the `will-navigate` event that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites. The issue is patched in versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 As a workaround sandbox all your iframes using the sandbox attribute. This will prevent them creating top-frame navigations and is good practice anyway.

9.9 2020-07-07 CVE-2020-4077

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both `contextIsolation` and `contextBridge` are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

9 2020-07-07 CVE-2020-4076

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using contextIsolation are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

7.5 2020-07-07 CVE-2020-4075

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not something you expect. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

6.8 2020-07-07 CVE-2020-15096

In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21.

8.1 2018-08-23 CVE-2018-15685

GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a WebPreferences vulnerability that can be leveraged to perform remote code execution.

9.8 2018-06-06 CVE-2017-16151

Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the [sandbox option](https://electron.atom.io/docs/api/sandbox-option) is enabled.

8.1 2018-03-23 CVE-2018-1000136

Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.

8.8 2018-03-07 CVE-2018-1000118

Github Electron version Electron 1.8.2-beta.4 and earlier contains a Command Injection vulnerability in Protocol Handler that can result in command execute. This attack appear to be exploitable via the victim opening an electron protocol handler in their browser. This vulnerability appears to have been fixed in Electron 1.8.2-beta.5. This issue is due to an incomplete fix for CVE-2018-1000006, specifically the black list used was not case insensitive allowing an attacker to potentially bypass it.

CWE : Common Weakness Enumeration

%idName
25% (2) CWE-693 Protection Mechanism Failure
25% (2) CWE-20 Improper Input Validation
12% (1) CWE-668 Exposure of Resource to Wrong Sphere
12% (1) CWE-552 Files or Directories Accessible to External Parties
12% (1) CWE-94 Failure to Control Generation of Code ('Code Injection')
12% (1) CWE-78 Improper Sanitization of Special Elements used in an OS Command ('O...

Snort® IPS/IDS

Date Description
2018-07-03 Electron nodeIntegration bypass exploit attempt
RuleID : 46855 - Type : BROWSER-OTHER - Revision : 1
2018-07-03 Electron nodeIntegration bypass exploit attempt
RuleID : 46854 - Type : BROWSER-OTHER - Revision : 1