Input validation error in Electron - CVE-2020-15096
Published: July 7, 2020 / Updated: August 8, 2020
Vulnerability identifier: #VU34170
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N/E:U/U:Green
CVE-ID: CVE-2020-15096
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Electron
Electron
Software vendor:
Electron
Electron
Description
The vulnerability allows a remote privileged user to manipulate data.
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21.
Remediation
Install update from vendor's website.