7.5
CVE-2020-15174
- EPSS 1.32%
- Veröffentlicht 06.10.2020 18:15:14
- Zuletzt bearbeitet 21.11.2024 05:05:00
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginUnpreventable top-level navigation in Electron
In Electron before versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 the `will-navigate` event that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites. The issue is patched in versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 As a workaround sandbox all your iframes using the sandbox attribute. This will prevent them creating top-frame navigations and is good practice anyway.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Electronjs ≫ Electron Version >= 8.0.0 < 8.5.1
Electronjs ≫ Electron Version >= 9.0.0 < 9.3.0
Electronjs ≫ Electron Version >= 10.0.0 < 10.0.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.32% | 0.672 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 2.2 | 4.7 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:L
|
| nvd@nist.gov | 5.8 | 8.6 | 4.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:P
|
| security-advisories@github.com | 7.5 | 2.2 | 4.7 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:L
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-693 Protection Mechanism Failure
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
https://github.com/electron/electron/commit/18613925610ba319da7f497b6deed85ad712c59b
https://github.com/electron/electron/security/advisories/GHSA-2q4g-w47c-4674