CVE-2023-23623

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-23623
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-23623.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-23623
Aliases
Downstream
Related
Published
2023-09-06T20:16:10.381Z
Modified
2025-12-04T23:39:54.395452Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Content-Secrity-Policy disabling eval not applied consistently in renderers with sandbox disabled in Electron
Details

Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. A Content-Security-Policy that disables eval, specifically setting a script-src directive and not providing unsafe-eval in that directive, is not respected in renderers that have sandbox disabled. i.e. sandbox: false in the webPreferences object. This allows usage of methods like eval() and new Function unexpectedly which can result in an expanded attack surface. This issue only ever affected the 22 and 23 major versions of Electron and has been fixed in the latest versions of those release lines. Specifically, these versions contain the fixes: 22.0.1 and 23.0.0-alpha.2 We recommend all apps upgrade to the latest stable version of Electron. If upgrading isn't possible, this issue can be addressed without upgrading by enabling sandbox: true on all renderers.

Database specific 
{
    "cwe_ids": [
        "CWE-670"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/23xxx/CVE-2023-23623.json"
}
References

Affected packages

Git / github.com/electron/electron

Affected ranges

Type
GIT
Repo
https://github.com/electron/electron
Events
Introduced
b930387036ca3f23a274a652ca603873f99fef3b
Fixed
a07c34e420b69e3cdd3a5305c49eb1128b25fabb
Database specific 
{
    "versions": [
        {
            "introduced": "22.0.0-beta.1"
        },
        {
            "fixed": "22.0.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/electron/electron
Events
Introduced
af0a995bb21d5c9fcbf93f0290ed4714596e978e
Fixed
1c1a0cdead3407ac02aceae7f006c153e47602f3
Database specific 
{
    "versions": [
        {
            "introduced": "23.0.0-alpha.1"
        },
        {
            "fixed": "23.0.0-alpha.2"
        }
    ]
}

Affected versions

v22.*

v22.0.0
v22.0.0-beta.1
v22.0.0-beta.2
v22.0.0-beta.3
v22.0.0-beta.4
v22.0.0-beta.5
v22.0.0-beta.6
v22.0.0-beta.7
v22.0.0-beta.8

v23.*

v23.0.0-alpha.1

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/electron/electron/commit/1c1a0cdead3407ac02aceae7f006c153e47602f3",
        "signature_type": "Function",
        "target": {
            "function": "InspectableWebContents::ClearPreferences",
            "file": "shell/browser/ui/inspectable_web_contents.cc"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-23623-138dcb59",
        "digest": {
            "length": 142.0,
            "function_hash": "173935874995917368037127163889591779583"
        }
    },
    {
        "source": "https://github.com/electron/electron/commit/1c1a0cdead3407ac02aceae7f006c153e47602f3",
        "signature_type": "Function",
        "target": {
            "function": "BuildTargetDescriptor",
            "file": "shell/browser/ui/webui/accessibility_ui.cc"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-23623-2a9ea3cb",
        "digest": {
            "length": 636.0,
            "function_hash": "238257574757346809139862102298383675924"
        }
    },
    {
        "source": "https://github.com/electron/electron/commit/a07c34e420b69e3cdd3a5305c49eb1128b25fabb",
        "signature_type": "Line",
        "target": {
            "file": "shell/browser/notifications/platform_notification_service.cc"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-23623-437bdd4d",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "133408743003997569671970012437185601488",
                "315218091813569095968094056130890783899",
                "99709583869308153268334158444153989795",
                "145385065192667358463436468010079015290"
            ]
        }
    },
    {
        "source": "https://github.com/electron/electron/commit/1c1a0cdead3407ac02aceae7f006c153e47602f3",
        "signature_type": "Line",
        "target": {
            "file": "shell/browser/extensions/electron_extensions_browser_client.cc"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-23623-52d14dff",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "10312611884103273294849227000456206718",
                "159570375059680231594248300604767063228",
                "31152401867533473724118042895781021654",
                "267191267299597376165389066267429707391",
                "171770651174663178000207301271939084332",
                "105191591271440122971728183374502535377",
                "54355081470580102369813854122316108434"
            ]
        }
    },
    {
        "source": "https://github.com/electron/electron/commit/a07c34e420b69e3cdd3a5305c49eb1128b25fabb",
        "signature_type": "Function",
        "target": {
            "function": "OnWebNotificationAllowed",
            "file": "shell/browser/notifications/platform_notification_service.cc"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-23623-8676455e",
        "digest": {
            "length": 426.0,
            "function_hash": "210825352980135351364877958693235574142"
        }
    },
    {
        "source": "https://github.com/electron/electron/commit/1c1a0cdead3407ac02aceae7f006c153e47602f3",
        "signature_type": "Line",
        "target": {
            "file": "shell/browser/ui/webui/accessibility_ui.cc"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-23623-a7d8e0d0",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "231151642904587382401774595197696701533",
                "109941424534581039628345939541764301403",
                "38580702695736502734200602486580199818",
                "205264323562687685830738818264832897360"
            ]
        }
    },
    {
        "source": "https://github.com/electron/electron/commit/1c1a0cdead3407ac02aceae7f006c153e47602f3",
        "signature_type": "Line",
        "target": {
            "file": "shell/browser/api/electron_api_web_contents.cc"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-23623-b4ecdf4f",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "274709729874707504501499024312176330799",
                "18091213333507853373683825754971255747",
                "26549654472516725172250827306514718987",
                "130116560370742820726141001812944553754"
            ]
        }
    },
    {
        "source": "https://github.com/electron/electron/commit/1c1a0cdead3407ac02aceae7f006c153e47602f3",
        "signature_type": "Line",
        "target": {
            "file": "shell/browser/ui/inspectable_web_contents.cc"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-23623-bceaaac3",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "34197740398737399396791872799821795668",
                "206722471502810938030119873957727960980",
                "135773686834598237286636838172922975891",
                "338359840087280005205138334530470689215"
            ]
        }
    },
    {
        "source": "https://github.com/electron/electron/commit/1c1a0cdead3407ac02aceae7f006c153e47602f3",
        "signature_type": "Line",
        "target": {
            "file": "shell/browser/ui/autofill_popup.cc"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-23623-cebab421",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "274798469715364086079297538001625565590",
                "176871433249218513965666273511361364763",
                "278408423342860564040623081107956058646",
                "120158127279641240318962179224213172498",
                "336766852832192368461011864886593938907",
                "223856066638177086335473029042603727329",
                "192578176428858853233703345903521994122",
                "233315892441013121179942306256663841101",
                "75973978982161986689169495341560785315",
                "290756033307155017437865794876808806145",
                "270397844025098454946339765328278644773",
                "95856700776112602308387428085895672357",
                "105932749930167756955168808084528977354",
                "290637982950649072004544825094832729466"
            ]
        }
    },
    {
        "source": "https://github.com/electron/electron/commit/1c1a0cdead3407ac02aceae7f006c153e47602f3",
        "signature_type": "Function",
        "target": {
            "function": "AutofillPopup::UpdatePopupBounds",
            "file": "shell/browser/ui/autofill_popup.cc"
        },
        "signature_version": "v1",
        "deprecated": false,
        "id": "CVE-2023-23623-f7bfe39e",
        "digest": {
            "length": 702.0,
            "function_hash": "229117407104243333709723178847208257872"
        }
    }
]