CVE-2020-26272

The Electron framework lets users write cross-platform desktop applications using JavaScript, HTML and CSS. In versions of Electron IPC prior to 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9, messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame. If your app uses remote, calls webContents.sendToFrame, or calls event.reply in an IPC message handler then it is impacted by this issue. This has been fixed in versions 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9. There are no known workarounds for this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.4 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
GitHub_MCNA
5.4 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 75%
VendorProductVersion
electronjselectron
9.0.0 ≤
𝑥
< 9.4.0
electronjselectron
10.0.0 ≤
𝑥
< 10.2.0
electronjselectron
11.0.0 ≤
𝑥
< 11.1.0
electronjselectron
9.0.0:beta1
electronjselectron
9.0.0:beta10
electronjselectron
9.0.0:beta11
electronjselectron
9.0.0:beta12
electronjselectron
9.0.0:beta13
electronjselectron
9.0.0:beta14
electronjselectron
9.0.0:beta15
electronjselectron
9.0.0:beta16
electronjselectron
9.0.0:beta17
electronjselectron
9.0.0:beta18
electronjselectron
9.0.0:beta19
electronjselectron
9.0.0:beta2
electronjselectron
9.0.0:beta20
electronjselectron
9.0.0:beta21
electronjselectron
9.0.0:beta22
electronjselectron
9.0.0:beta23
electronjselectron
9.0.0:beta24
electronjselectron
9.0.0:beta3
electronjselectron
9.0.0:beta4
electronjselectron
9.0.0:beta5
electronjselectron
9.0.0:beta6
electronjselectron
9.0.0:beta7
electronjselectron
9.0.0:beta8
electronjselectron
9.0.0:beta9
electronjselectron
10.0.0:beta1
electronjselectron
10.0.0:beta10
electronjselectron
10.0.0:beta11
electronjselectron
10.0.0:beta12
electronjselectron
10.0.0:beta13
electronjselectron
10.0.0:beta14
electronjselectron
10.0.0:beta15
electronjselectron
10.0.0:beta17
electronjselectron
10.0.0:beta19
electronjselectron
10.0.0:beta2
electronjselectron
10.0.0:beta20
electronjselectron
10.0.0:beta21
electronjselectron
10.0.0:beta23
electronjselectron
10.0.0:beta24
electronjselectron
10.0.0:beta25
electronjselectron
10.0.0:beta3
electronjselectron
10.0.0:beta4
electronjselectron
10.0.0:beta5
electronjselectron
10.0.0:beta6
electronjselectron
10.0.0:beta7
electronjselectron
10.0.0:beta8
electronjselectron
10.0.0:beta9
electronjselectron
11.0.0:beta1
electronjselectron
11.0.0:beta10
electronjselectron
11.0.0:beta11
electronjselectron
11.0.0:beta12
electronjselectron
11.0.0:beta13
electronjselectron
11.0.0:beta14
electronjselectron
11.0.0:beta15
electronjselectron
11.0.0:beta16
electronjselectron
11.0.0:beta17
electronjselectron
11.0.0:beta18
electronjselectron
11.0.0:beta19
electronjselectron
11.0.0:beta20
electronjselectron
11.0.0:beta21
electronjselectron
11.0.0:beta22
electronjselectron
11.0.0:beta23
electronjselectron
11.0.0:beta3
electronjselectron
11.0.0:beta4
electronjselectron
11.0.0:beta5
electronjselectron
11.0.0:beta6
electronjselectron
11.0.0:beta7
electronjselectron
11.0.0:beta8
electronjselectron
11.0.0:beta9
electronjselectron
12.0.0:beta1
electronjselectron
12.0.0:beta3
electronjselectron
12.0.0:beta4
electronjselectron
12.0.0:beta5
electronjselectron
12.0.0:beta6
electronjselectron
12.0.0:beta7
electronjselectron
12.0.0:beta8
electronjselectron
12.0.0:beta9
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/electron/electron/commit/07a1c2a3e5845901f7e2eda9506695be58edc73c
https://github.com/electron/electron/commit/0bbd268eb4caf35604443df5ff196980dd49e208
https://github.com/electron/electron/commit/36c695ce2a7e22c07fe1e30c61c00d20371daee2
https://github.com/electron/electron/commit/429400040ecb16a21d19936658579e65a797e4cc
https://github.com/electron/electron/commit/5c8e7e8b7f485ceafa8b271086d7b87e1de9dedd
https://github.com/electron/electron/pull/26875
https://github.com/electron/electron/releases/tag/v9.4.0
https://github.com/electron/electron/security/advisories/GHSA-hvf8-h2qh-37m9
https://www.electronjs.org/releases/stable?version=9#9.4.0
https://github.com/electron/electron/commit/07a1c2a3e5845901f7e2eda9506695be58edc73c
https://github.com/electron/electron/pull/26875
https://github.com/electron/electron/releases/tag/v9.4.0
https://github.com/electron/electron/security/advisories/GHSA-hvf8-h2qh-37m9
https://www.electronjs.org/releases/stable?version=9#9.4.0