CVE-2020-15174

Improper Input Validation in npm/electron

Identifiers

CVE-2020-15174, GHSA-2q4g-w47c-4674

Package Slug

npm/electron

Vulnerability

Improper Input Validation

Description

In Electron the will-navigate event that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites. The issue is patched As a workaround sandbox all your iframes using the sandbox attribute. This will prevent them creating top-frame navigations and is good practice anyway.

Affected Versions

All versions starting from 8.0.0 before 8.5.1, all versions starting from 9.0.0 before 9.3.0, all versions starting from 10.0.0 before 10.0.1

Solution

Upgrade to versions 8.5.1, 9.3.0, 10.0.1 or above.

Last Modified

2020-10-22

source