← Back

CVE-2020-4075

nvd nist
Published: Jul 7, 2020Modified: Nov 21, 2024

JSON object

Loading...
7.5
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Exploitability: 3.9 / Impact: 3.6
Source: NVD

Description

In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not something you expect. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.

Affected (23)

Products: Electronjs: Electron
Electronjs
1 product
Electron
Configuration A
23 vulnerable
Vulnerable SoftwareAffected Versions
Electronjs
Electron
From 7.0.0 to 7.2.4
Electron
From 8.0.0 to 8.2.4
Electron
Version 9.0.0
Electron
Version 9.0.0 beta10
Electron
Version 9.0.0 beta11
Electron
Version 9.0.0 beta12
Electron
Version 9.0.0 beta13
Electron
Version 9.0.0 beta14
Electron
Version 9.0.0 beta15
Electron
Version 9.0.0 beta16
Electron
Version 9.0.0 beta17
Electron
Version 9.0.0 beta18
Electron
Version 9.0.0 beta19
Electron
Version 9.0.0 beta1
Electron
Version 9.0.0 beta20
Electron
Version 9.0.0 beta2
Electron
Version 9.0.0 beta3
Electron
Version 9.0.0 beta4
Electron
Version 9.0.0 beta5
Electron
Version 9.0.0 beta6
Electron
Version 9.0.0 beta7
Electron
Version 9.0.0 beta8
Electron
Version 9.0.0 beta9

Related CWEs

CWE-552
Files or Directories Accessible to External Parties
The product makes files or directories accessible to unauthorized actors, even though they should not be.

References (4)

Source: security-advisories@github.com
Third Party Advisory
Source: security-advisories@github.com
Release NotesVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Release NotesVendor Advisory

Timeline

No history available yet.