Vulnerability Description
In Electron before versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 the `will-navigate` event that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites. The issue is patched in versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 As a workaround sandbox all your iframes using the sandbox attribute. This will prevent them creating top-frame navigations and is good practice anyway.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Electronjs | Electron | >= 8.0.0, < 8.5.1 |
Related Weaknesses (CWE)
References
- https://github.com/electron/electron/commit/18613925610ba319da7f497b6deed85ad712PatchThird Party Advisory
- https://github.com/electron/electron/security/advisories/GHSA-2q4g-w47c-4674Third Party Advisory
- https://github.com/electron/electron/commit/18613925610ba319da7f497b6deed85ad712PatchThird Party Advisory
- https://github.com/electron/electron/security/advisories/GHSA-2q4g-w47c-4674Third Party Advisory
FAQ
What is CVE-2020-15174?
CVE-2020-15174 is a vulnerability with a CVSS score of 7.5 (HIGH). In Electron before versions 11.0.0-beta.1, 10.0.1, 9.3.0 or 8.5.1 the `will-navigate` event that apps use to prevent navigations to unexpected destinations as per our security recommendations can be b...
How severe is CVE-2020-15174?
CVE-2020-15174 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-15174?
Check the references section above for vendor advisories and patch information. Affected products include: Electronjs Electron.