CVE-2018-1000118 – electron

Package

Manager: npm
Name: electron
Vulnerable Version: >=0 <1.8.2-beta5

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.04776 pctl0.89044

Details

Electron protocol handler browser vulnerable to Command Injection Github Electron version Electron 1.8.2-beta.4 and earlier contains a Command Injection vulnerability in Protocol Handler that can result in command execute. This attack appear to be exploitable via the victim opening an electron protocol handler in their browser. This vulnerability appears to have been fixed in Electron 1.8.2-beta.5. This issue is due to an incomplete fix for CVE-2018-1000006, specifically the black list used was not case insensitive allowing an attacker to potentially bypass it.

Metadata

Created: 2018-03-26T16:41:20Z
Modified: 2022-04-26T14:35:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/03/GHSA-fjqr-fx3f-g4rv/GHSA-fjqr-fx3f-g4rv.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-fjqr-fx3f-g4rv
Finding: F404
Auto approve: 1