Moderate severityNVD Advisory· Published Jul 7, 2020· Updated Aug 4, 2024
Arbitrary file read via window-open IPC in Electron
CVE-2020-4075
Description
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
electronnpm | < 7.2.4 | 7.2.4 |
electronnpm | >= 8.0.0, < 8.2.4 | 8.2.4 |
Affected products
2- Range: >= 9.0.0-beta.0, <= 9.0.0-beta.20
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-f9mq-jph6-9mhmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-4075ghsaADVISORY
- github.com/electron/electron/security/advisories/GHSA-f9mq-jph6-9mhmghsax_refsource_CONFIRMWEB
- www.electronjs.org/releases/stableghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.