CVE-2020-15096

In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affected. There are no app-side workarounds, you must update your Electron version to be protected. This is fixed in versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
GitHub_MCNA
6.8 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 46%
VendorProductVersion
electronjselectron
𝑥
< 6.1.1
electronjselectron
7.0.0 ≤
𝑥
< 7.2.4
electronjselectron
8.0.0 ≤
𝑥
< 8.2.4
electronjselectron
9.0.0
electronjselectron
9.0.0:beta1
electronjselectron
9.0.0:beta10
electronjselectron
9.0.0:beta11
electronjselectron
9.0.0:beta12
electronjselectron
9.0.0:beta13
electronjselectron
9.0.0:beta14
electronjselectron
9.0.0:beta15
electronjselectron
9.0.0:beta16
electronjselectron
9.0.0:beta17
electronjselectron
9.0.0:beta18
electronjselectron
9.0.0:beta19
electronjselectron
9.0.0:beta2
electronjselectron
9.0.0:beta20
electronjselectron
9.0.0:beta3
electronjselectron
9.0.0:beta4
electronjselectron
9.0.0:beta5
electronjselectron
9.0.0:beta6
electronjselectron
9.0.0:beta7
electronjselectron
9.0.0:beta8
electronjselectron
9.0.0:beta9
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/electron/electron/security/advisories/GHSA-6vrv-94jv-crrg
https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824
https://github.com/electron/electron/security/advisories/GHSA-6vrv-94jv-crrg
https://www.electronjs.org/releases/stable?page=3#release-notes-for-v824