npm package
electron
pkg:npm/electron
Vulnerabilities (48)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-15685 | — | >= 1.7.0, < 1.7.16 | 1.7.16 | Aug 23, 2018 | GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a WebPreferences vulnerability that can be leveraged to perform remote code execution. | ||
| CVE-2017-16151 | — | < 1.6.14 | 1.6.14 | Jun 7, 2018 | Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the [sandb | ||
| CVE-2018-1000136 | — | >= 1.7.0, < 1.7.13 | 1.7.13 | Mar 23, 2018 | Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND | ||
| CVE-2018-1000118 | — | < 1.8.2-beta5 | 1.8.2-beta5 | Mar 7, 2018 | Github Electron version Electron 1.8.2-beta.4 and earlier contains a Command Injection vulnerability in Protocol Handler that can result in command execute. This attack appear to be exploitable via the victim opening an electron protocol handler in their browser. This vulnerabili | ||
| CVE-2018-1000006 | — | >= 1.7.0, < 1.7.11 | 1.7.11 | Jan 24, 2018 | GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that register custom protocol handlers can be tricked in arbitrary command execution | ||
| CVE-2017-1000424 | — | >= 1.7.0, < 1.7.6 | 1.7.6 | Jan 2, 2018 | Github Electron version 1.6.4 - 1.6.11 and 1.7.0 - 1.7.5 is vulnerable to a URL Spoofing problem when opening PDFs in PDFium resulting loading arbitrary PDFs that a hacker can control. | ||
| CVE-2017-12581 | Hig | 8.1 | < 1.6.8 | 1.6.8 | Aug 6, 2017 | GitHub Electron before 1.6.8 allows remote command execution because of a nodeIntegration bypass vulnerability. This also affects all applications that bundle Electron code equivalent to 1.6.8 or earlier. Bypassing the Same Origin Policy (SOP) is a precondition; however, recent E | |
| CVE-2016-1202 | Hig | 7.8 | < 0.33.5 | 0.33.5 | Apr 25, 2016 | Untrusted search path vulnerability in Atom Electron before 0.33.5 allows local users to gain privileges via a Trojan horse Node.js module in a parent directory of a directory named on a require line. |
- CVE-2018-15685Aug 23, 2018affected >= 1.7.0, < 1.7.16fixed 1.7.16
GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a WebPreferences vulnerability that can be leveraged to perform remote code execution.
- CVE-2017-16151Jun 7, 2018affected < 1.6.14fixed 1.6.14
Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the [sandb
- CVE-2018-1000136Mar 23, 2018affected >= 1.7.0, < 1.7.13fixed 1.7.13
Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND
- CVE-2018-1000118Mar 7, 2018affected < 1.8.2-beta5fixed 1.8.2-beta5
Github Electron version Electron 1.8.2-beta.4 and earlier contains a Command Injection vulnerability in Protocol Handler that can result in command execute. This attack appear to be exploitable via the victim opening an electron protocol handler in their browser. This vulnerabili
- CVE-2018-1000006Jan 24, 2018affected >= 1.7.0, < 1.7.11fixed 1.7.11
GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that register custom protocol handlers can be tricked in arbitrary command execution
- CVE-2017-1000424Jan 2, 2018affected >= 1.7.0, < 1.7.6fixed 1.7.6
Github Electron version 1.6.4 - 1.6.11 and 1.7.0 - 1.7.5 is vulnerable to a URL Spoofing problem when opening PDFs in PDFium resulting loading arbitrary PDFs that a hacker can control.
- affected < 1.6.8fixed 1.6.8
GitHub Electron before 1.6.8 allows remote command execution because of a nodeIntegration bypass vulnerability. This also affects all applications that bundle Electron code equivalent to 1.6.8 or earlier. Bypassing the Same Origin Policy (SOP) is a precondition; however, recent E
- affected < 0.33.5fixed 0.33.5
Untrusted search path vulnerability in Atom Electron before 0.33.5 allows local users to gain privileges via a Trojan horse Node.js module in a parent directory of a directory named on a require line.
Page 3 of 3