Vulnerability Description
Github Electron version Electron 1.8.2-beta.4 and earlier contains a Command Injection vulnerability in Protocol Handler that can result in command execute. This attack appear to be exploitable via the victim opening an electron protocol handler in their browser. This vulnerability appears to have been fixed in Electron 1.8.2-beta.5. This issue is due to an incomplete fix for CVE-2018-1000006, specifically the black list used was not case insensitive allowing an attacker to potentially bypass it.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Electronjs | Electron | <= 1.8.1 |
Related Weaknesses (CWE)
References
- https://electronjs.org/releases#1.8.2-beta.5Third Party Advisory
- https://github.com/electron/electron/commit/ce361a12e355f9e1e99c989f1ea056c9e502PatchThird Party Advisory
- https://electronjs.org/releases#1.8.2-beta.5Third Party Advisory
- https://github.com/electron/electron/commit/ce361a12e355f9e1e99c989f1ea056c9e502PatchThird Party Advisory
FAQ
What is CVE-2018-1000118?
CVE-2018-1000118 is a vulnerability with a CVSS score of 8.8 (HIGH). Github Electron version Electron 1.8.2-beta.4 and earlier contains a Command Injection vulnerability in Protocol Handler that can result in command execute. This attack appear to be exploitable via th...
How severe is CVE-2018-1000118?
CVE-2018-1000118 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1000118?
Check the references section above for vendor advisories and patch information. Affected products include: Electronjs Electron.