GHSA-v3wr-67px-44xg – @advanced-rest-client/base

Package

Manager: npm
Name: @advanced-rest-client/base
Vulnerable Version: >=0 <0.1.10

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:H/SA:N

EPSS: N/A pctlN/A

Details

Execution with Unnecessary Privileges in arc-electron ### Impact When the end-user click on the response header that contains a link the target will be opened in ARC new window. This window will have the default preload script loaded which allows the scripts embedded in the link target to execute any logic that ARC has access to from the renderer process, which includes file system access, data store access (which may contain sensitive information), and some additional processes that only ARC should have access to. ### Patches This is patched in version 17.0.9. ### Workarounds Do not click onto any link in the response headers view. ### For more information If you have any questions or comments about this advisory: * Open an issue in [advanced-rest-client/arc-electron](https://github.com/advanced-rest-client/arc-electron) * Email us at [Salesforce Security](mailto:security@salesforce.com)

Metadata

Created: 2022-03-03T19:11:14Z
Modified: 2022-03-03T19:11:14Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-v3wr-67px-44xg/GHSA-v3wr-67px-44xg.json
CWE IDs: []
Alternative ID: N/A
Finding: F159
Auto approve: 1