CVE-2023-42222

An attacker can craft a URL with a dangerous protocol (e.g., `file://`, `mailto://`, or a custom protocol handler) and deliver it to a WebCatalog user. When WebCatalog passes this untrusted URL to `shell.openExternal` without protocol validation, the operating system processes the URL using its registered handler, which can lead to arbitrary command execution or unintended local resource access [ref_id=1]. The precondition is that the attacker must be able to supply a URL that WebCatalog will open via `shell.openExternal`.

The vulnerability is in WebCatalog's use of Electron's `shell.openExternal` function. The advisory does not specify the exact file or function name within WebCatalog, but the bug is that WebCatalog calls `shell.openExternal` without first verifying that the target URL uses an `http` or `https` protocol [ref_id=1].

The advisory does not include a patch diff. However, the Electron security documentation explicitly recommends validating URLs before passing them to `shell.openExternal` — specifically, only allowing `http:` and `https:` protocols [ref_id=1]. The fix for WebCatalog would be to add a protocol whitelist check before calling `shell.openExternal`, rejecting any URL whose protocol is not `http` or `https`.