CVE-2020-4075

Summary

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Affected Software

VendorProductVersion RangeStatus
electronelectron>= 9.0.0-beta.0, <= 9.0.0-beta.20affected
electronelectron>= 8.0.0, < 8.2.4affected
electronelectron< 7.2.4affected

Weaknesses

  • CWE-552: {"CWE-552":"Files or Directories Accessible to External Parties"}

ADP Enrichment

CVE Program Container

Additional References

References