Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a thumbnail image of an arbitrary file on the users system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. Versions 15.0.0-alpha.10, 14.0.0, 13.3.0, 12.1.0, and 11.5.0 all contain a fix for the vulnerability. Two workarounds aside from upgrading are available. One may make the vulnerability significantly more difficult for an attacker to exploit by enabling contextIsolation
in ones app. One may also disable the functionality of the createThumbnailFromPath
API if one does not need it.
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Electron | Electronjs | 10.1.0 (including) | 11.5.0 (excluding) |
Electron | Electronjs | 12.0.0 (including) | 12.1.0 (excluding) |
Electron | Electronjs | 13.0.0 (including) | 13.3.0 (excluding) |
Electron | Electronjs | 14.0.0-beta1 (including) | 14.0.0-beta1 (including) |
Electron | Electronjs | 14.0.0-beta10 (including) | 14.0.0-beta10 (including) |
Electron | Electronjs | 14.0.0-beta11 (including) | 14.0.0-beta11 (including) |
Electron | Electronjs | 14.0.0-beta12 (including) | 14.0.0-beta12 (including) |
Electron | Electronjs | 14.0.0-beta13 (including) | 14.0.0-beta13 (including) |
Electron | Electronjs | 14.0.0-beta14 (including) | 14.0.0-beta14 (including) |
Electron | Electronjs | 14.0.0-beta15 (including) | 14.0.0-beta15 (including) |
Electron | Electronjs | 14.0.0-beta16 (including) | 14.0.0-beta16 (including) |
Electron | Electronjs | 14.0.0-beta17 (including) | 14.0.0-beta17 (including) |
Electron | Electronjs | 14.0.0-beta18 (including) | 14.0.0-beta18 (including) |
Electron | Electronjs | 14.0.0-beta19 (including) | 14.0.0-beta19 (including) |
Electron | Electronjs | 14.0.0-beta2 (including) | 14.0.0-beta2 (including) |
Electron | Electronjs | 14.0.0-beta20 (including) | 14.0.0-beta20 (including) |
Electron | Electronjs | 14.0.0-beta21 (including) | 14.0.0-beta21 (including) |
Electron | Electronjs | 14.0.0-beta22 (including) | 14.0.0-beta22 (including) |
Electron | Electronjs | 14.0.0-beta23 (including) | 14.0.0-beta23 (including) |
Electron | Electronjs | 14.0.0-beta24 (including) | 14.0.0-beta24 (including) |
Electron | Electronjs | 14.0.0-beta25 (including) | 14.0.0-beta25 (including) |
Electron | Electronjs | 14.0.0-beta3 (including) | 14.0.0-beta3 (including) |
Electron | Electronjs | 14.0.0-beta4 (including) | 14.0.0-beta4 (including) |
Electron | Electronjs | 14.0.0-beta5 (including) | 14.0.0-beta5 (including) |
Electron | Electronjs | 14.0.0-beta6 (including) | 14.0.0-beta6 (including) |
Electron | Electronjs | 14.0.0-beta7 (including) | 14.0.0-beta7 (including) |
Electron | Electronjs | 14.0.0-beta8 (including) | 14.0.0-beta8 (including) |
Electron | Electronjs | 14.0.0-beta9 (including) | 14.0.0-beta9 (including) |
Electron | Electronjs | 15.0.0-alpha1 (including) | 15.0.0-alpha1 (including) |
Electron | Electronjs | 15.0.0-alpha2 (including) | 15.0.0-alpha2 (including) |
Electron | Electronjs | 15.0.0-alpha3 (including) | 15.0.0-alpha3 (including) |
Electron | Electronjs | 15.0.0-alpha4 (including) | 15.0.0-alpha4 (including) |
Electron | Electronjs | 15.0.0-alpha5 (including) | 15.0.0-alpha5 (including) |
Electron | Electronjs | 15.0.0-alpha6 (including) | 15.0.0-alpha6 (including) |
Electron | Electronjs | 15.0.0-alpha7 (including) | 15.0.0-alpha7 (including) |
Electron | Electronjs | 15.0.0-alpha8 (including) | 15.0.0-alpha8 (including) |
Electron | Electronjs | 15.0.0-alpha9 (including) | 15.0.0-alpha9 (including) |
Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user’s privileges and any permissions or other access-control specifications that apply to the resource. When access control checks are not applied, users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution.