Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
electronjs electron 2.0.0 |
||
electronjs electron |
Infosec bods remind devs, users to check for patches
Electron – the widely used desktop application framework that renders top programs such as Slack, Atom, and Visual Studio Code – suffered from a security vulnerability that potentially allows miscreants to execute evil code on victims' computers. That means applications relying on Electron may need updating. If you use an Electron-based program – there's a list here – you should follow best practices and make sure you're running the latest release of the software. And app developers shou...