CVE-2021-28134

Vulnerability

Clipper versions before 1.0.5 expose a vulnerable ipcRenderer IPC interface. A remote attacker can send a crafted IPC message to invoke the openExternal API via the preload.js script (lines 14-16), which calls remote.shell.openExternal(url) without validating the URL [1][3]. This allows arbitrary URL opening, including malicious schemes that lead to command execution. The vulnerability affects all releases prior to the v1.0.5 patch [2][4].

Exploitation

An attacker needs network access to the Clipper application's IPC channel. By sending a specially crafted IPC message that triggers the openExternalUrl function with a dangerous URL (e.g., using the file:// or custom protocol handlers), the attacker can execute arbitrary commands on the host system. No authentication or user interaction beyond the application being running is required [1][3].

Impact

Successful exploitation results in remote command execution with the privileges of the user running Clipper. This can lead to full system compromise, including data theft, malware installation, or further lateral movement within the network. The impact is severe due to the lack of URL validation in the exposed IPC interface [1][3].

Mitigation

Upgrade to Clipper version 1.0.5 or later, released on 2021-03-11, which adds URL allowlist checking before calling shell.openExternal [2][4]. The fix introduced in commit 28f1492a12234cf1e6af85c78bf22ee2f5090d19 enforces that only trusted URLs are opened [4]. No workaround is available for earlier versions; updating is the only mitigation.