CVE-2018-1000136

Source
https://nvd.nist.gov/vuln/detail/CVE-2018-1000136
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1000136.json
Aliases
Published
2018-03-23T19:29:00Z
Modified
2023-11-29T06:23:41.414428Z
Details

Electron version 1.7 up to 1.7.12; 1.8 up to 1.8.3 and 2.0.0 up to 2.0.0-beta.3 contains an improper handling of values vulnerability in Webviews that can result in remote code execution. This attack appear to be exploitable via an app which allows execution of 3rd party code AND disallows node integration AND has not specified if webview is enabled/disabled. This vulnerability appears to have been fixed in 1.7.13, 1.8.4, 2.0.0-beta.4.

References

Affected packages

Git / github.com/electron/electron

Affected ranges

Type
GIT
Repo
https://github.com/electron/electron
Events
Last affected
6b90807cb8f3fd97cb4a20ac8c4407e219c564af
Introduced
b6319698f12f6f0d8095da7a0528b4a3b9949834
Last affected
1ddf6188f4389642dcd1c3a26c945fcbe6add1a6

Affected versions

v1.*

v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.8.0
v1.8.1
v1.8.2
v1.8.2-beta.1
v1.8.2-beta.2
v1.8.2-beta.3
v1.8.2-beta.4
v1.8.2-beta.5
v1.8.3

v2.*

v2.0.0
v2.0.0-beta.1
v2.0.0-beta.2
v2.0.0-beta.3
v2.0.0-beta.4
v2.0.0-beta.5
v2.0.0-beta.6
v2.0.0-beta.7
v2.0.0-beta.8