PT-2020-14247 · Electron+1 · Electron+1
Marshallofsound
+1
·
Published
2020-10-06
·
Updated
2025-09-23
·
CVE-2020-15174
CVSS v3.1
7.5
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
Electron versions prior to 11.0.0-beta.1
Electron versions prior to 10.0.1
Electron versions prior to 9.3.0
Electron versions prior to 8.5.1
Description
The
will-navigate event can be bypassed when a sub-frame performs a top-frame navigation across sites. This issue can be exploited to bypass navigation restrictions. As a workaround, sandboxing all iframes using the sandbox attribute can prevent them from creating top-frame navigations.Recommendations
For versions prior to 11.0.0-beta.1, update to version 11.0.0-beta.1 or later.
For versions prior to 10.0.1, update to version 10.0.1 or later.
For versions prior to 9.3.0, update to version 9.3.0 or later.
For versions prior to 8.5.1, update to version 8.5.1 or later.
As a temporary workaround, consider sandboxing all iframes using the
sandbox attribute to prevent them from creating top-frame navigations.Fix
Protection Mechanism Failure
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Electron