Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API
Vulnerability Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. Versions 15.0.0-alpha.10, 14.0.0, 13.3.0, 12.1.0, and 11.5.0 all contain a fix for the vulnerability. Two workarounds aside from upgrading are available. One may make the vulnerability significantly more difficult for an attacker to exploit by enabling `contextIsolation` in one's app. One may also disable the functionality of the `createThumbnailFromPath` API if one does not need it.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Vulnerability Type
将资源暴露给错误范围
Vulnerability Title
Electron 安全漏洞
Vulnerability Description
Electron是个人开发者的一个用户编写跨平台桌面应用的 JavaScript 框架。该框架基于 nodejs 和 Chromium 可以使用HTML,CSS实现跨平台桌面应用的编写。 Electron存在安全漏洞,该漏洞允许沙箱渲染器请求用户系统中任意文件的“缩略图”图像。缩略图可能包含原始文件的重要部分,在许多情况下包括文本数据。15.0.0-alpha版本。10、14.0.0、13.3.0、12.1.0和11.5.0都包含针对该漏洞的修复。除了升级之外,还有两种解决方案可用。其中一个可能会使脆弱性
CVSS Information
N/A
Vulnerability Type
N/A