CVE-2020-15215

Summary

Electron before versions 11.0.0-beta.6, 10.1.2, 9.3.1 or 8.5.2 is vulnerable to a context isolation bypass. Apps using both contextIsolation and sandbox: true are affected. Apps using both contextIsolation and nodeIntegrationInSubFrames: true are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Affected Software

VendorProductVersion RangeStatus
electronelectron>= 8.0.0-beta.0, < 8.5.2affected
electronelectron>= 9.0.0-beta.0, < 9.3.1affected
electronelectron>= 10.0.0-beta.0, < 10.1.2affected
electronelectron>= 11.0.0-beta.0, < 11.0.0-beta.6affected

Weaknesses

  • CWE-693: CWE-693 Protection Mechanism Failure
  • CWE-668: CWE-668 Exposure of Resource to Wrong Sphere

ADP Enrichment

CVE Program Container

Additional References

References