CVE-2020-15215
5.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Summary
Electron before versions 11.0.0-beta.6, 10.1.2, 9.3.1 or 8.5.2 is vulnerable to a context isolation bypass. Apps using both contextIsolation and sandbox: true are affected. Apps using both contextIsolation and nodeIntegrationInSubFrames: true are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| electron | electron | >= 8.0.0-beta.0, < 8.5.2 | affected |
| electron | electron | >= 9.0.0-beta.0, < 9.3.1 | affected |
| electron | electron | >= 10.0.0-beta.0, < 10.1.2 | affected |
| electron | electron | >= 11.0.0-beta.0, < 11.0.0-beta.6 | affected |
Weaknesses
- CWE-693: CWE-693 Protection Mechanism Failure
- CWE-668: CWE-668 Exposure of Resource to Wrong Sphere
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.