CVE-2020-15174 – electron

Package

Manager: npm
Name: electron
Vulnerable Version: =11.0.0 || =9.3.0 || >=10.0.0 <=10.0.1 || >=10.1.0 <=10.1.1 || >=8.0.0 <=8.0.3 || >=8.1.0 <=8.1.1 || >=8.2.0 <=8.2.5 || >=8.3.0 <=8.3.4 || >=8.4.0 <=8.4.1 || >=8.5.0 <=8.5.1 || >=9.0.0 <=9.0.6 || >=9.1.0 <=9.1.2 || >=9.2.0 <=9.2.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L

EPSS: 0.00189 pctl0.40953

Details

Unpreventable top-level navigation ### Impact The `will-navigate` event that apps use to prevent navigations to unexpected destinations [as per our security recommendations](https://www.electronjs.org/docs/tutorial/security) can be bypassed when a sub-frame performs a top-frame navigation across sites. ### Patches * `11.0.0-beta.1` * `10.0.1` * `9.3.0` * `8.5.1` ### Workarounds Sandbox all your iframes using the [`sandbox` attribute](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox). This will prevent them creating top-frame navigations and is good practice anyway. ### For more information If you have any questions or comments about this advisory: * Email us at security@electronjs.org

Metadata

Created: 2020-10-06T14:24:04Z
Modified: 2021-11-19T14:44:04Z
Source: MANUAL
CWE IDs: ["CWE-20", "CWE-693"]
Alternative ID: GHSA-2q4g-w47c-4674
Finding: F115
Auto approve: 1