CVE-2020-15174
- Source
- https://cve.org/CVERecord?id=CVE-2020-15174
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15174.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2020-15174
- Aliases
- Related
- Published
- 2020-10-06T18:15:14.283Z
- Modified
- 2026-04-11T21:19:55.869214Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:L CVSS Calculator
- Summary
- [none]
- Details
-
In Electron before versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 the
will-navigateevent that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites. The issue is patched in versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 As a workaround sandbox all your iframes using the sandbox attribute. This will prevent them creating top-frame navigations and is good practice anyway. - References
Affected packages
Git / github.com/electron/electron
Affected versions
v10.*
v10.0.0
v8.*
v8.0.0
v8.0.1
v8.0.2
v8.0.3
v8.1.0
v8.1.1
v8.2.0
v8.2.1
v8.2.2
v8.2.3
v8.2.4
v8.2.5
v8.3.0
v8.3.1
v8.3.2
v8.3.3
v8.3.4
v8.4.0
v8.4.1
v8.5.0
v9.*
v9.0.0
v9.0.1
v9.0.2
v9.0.3
v9.0.4
v9.0.5
v9.0.6
v9.1.0
v9.1.1
v9.1.2
v9.2.0
v9.2.1
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15174.json"
vanir_signatures
[
{
"digest": {
"length": 458.0,
"function_hash": "199102409340917251199271695657280783075"
},
"id": "CVE-2020-15174-03ae97a3",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/electron/electron/commit/18613925610ba319da7f497b6deed85ad712c59b",
"target": {
"function": "WebContents::OpenURLFromTab",
"file": "shell/browser/api/electron_api_web_contents.cc"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"18876523215243715297215661159503178326",
"105122872310601477653131098437781229927",
"176231553178074587801000684218715842294",
"167506055793440953346741244502466215576",
"255993982251929902972200033026413580857"
]
},
"id": "CVE-2020-15174-2e06a103",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/electron/electron/commit/18613925610ba319da7f497b6deed85ad712c59b",
"target": {
"file": "shell/browser/api/electron_api_web_contents.cc"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"18493730393850289687302545064610393440",
"147977453749043512498612488010979206449",
"308911388708264872865473406063814037530"
]
},
"id": "CVE-2020-15174-6aef6df8",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/electron/electron/commit/18613925610ba319da7f497b6deed85ad712c59b",
"target": {
"file": "shell/browser/electron_navigation_throttle.h"
}
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"1695771876731390988285255923745959558",
"321385116936480687537501712091518721339",
"207554722948287550673032156114503070072"
]
},
"id": "CVE-2020-15174-8f3204c3",
"deprecated": false,
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/electron/electron/commit/18613925610ba319da7f497b6deed85ad712c59b",
"target": {
"file": "shell/browser/electron_navigation_throttle.cc"
}
}
]
vanir_signatures_modified
"2026-04-11T21:19:55Z"