CVE-2020-15215 – electron

Package

Manager: npm
Name: electron
Vulnerable Version: =11.0.0 || =9.3.0 || >=10.0.0 <=10.0.1 || >=10.1.0 <=10.1.1 || >=8.0.0 <=8.0.3 || >=8.1.0 <=8.1.1 || >=8.2.0 <=8.2.5 || >=8.3.0 <=8.3.4 || >=8.4.0 <=8.4.1 || >=8.5.0 <=8.5.1 || >=9.0.0 <=9.0.6 || >=9.1.0 <=9.1.2 || >=9.2.0 <=9.2.1

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00282 pctl0.5115

Details

Context isolation bypass in Electron ### Impact Apps using both `contextIsolation` and `sandbox: true` are affected. Apps using both `contextIsolation` and `nativeWindowOpen: true` are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. ### Workarounds There are no app-side workarounds, you must update your Electron version to be protected. ### Fixed Versions * `11.0.0-beta.6` * `10.1.2` * `9.3.1` * `8.5.2` ### For more information If you have any questions or comments about this advisory: * Email us at [security@electronjs.org](mailto:security@electronjs.org)

Metadata

Created: 2020-10-06T17:46:40Z
Modified: 2021-01-07T22:51:36Z
Source: MANUAL
CWE IDs: ["CWE-668", "CWE-693"]
Alternative ID: GHSA-56pc-6jqp-xqj8
Finding: F115
Auto approve: 1