CVE-2018-1000536

Name of the Vulnerable Software and Affected Versions Medis versions 0.6.1 and earlier

Description The issue allows for unauthorized code execution on the victim's machine, within the rights of the running application, due to a XSS vulnerability evolving into code execution. This is caused by enabled nodeIntegration for the renderer process vulnerability in the Key name parameter on new key creation. The attack can be exploited when the victim is synchronizing data from the redis server that contains malicious key value.

Recommendations For Medis versions 0.6.1 and earlier, consider disabling the nodeIntegration for the renderer process as a temporary workaround until a patch is available. Restrict access to the Key name parameter on new key creation to minimize the risk of exploitation. Avoid synchronizing data from untrusted redis servers to prevent potential attacks.