CVE-2024-23755

ClickUp Desktop before 3.3.77 on macOS and Windows allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
Common Weakness Enumeration
References
https://clickup.com/security/disclosures
https://clickup.com/terms/security-policy
https://www.electronjs.org/blog/statement-run-as-node-cves
https://www.electronjs.org/docs/latest/tutorial/fuses
https://clickup.com/security/disclosures
https://clickup.com/terms/security-policy
https://www.electronjs.org/blog/statement-run-as-node-cves
https://www.electronjs.org/docs/latest/tutorial/fuses