PT-2023-19083 · Electron · Electron

Andreasdj

Published

2023-09-06

Updated

2024-06-15

CVE-2023-23623

CVSS v3.1

7.5

High

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Electron versions 22 through 23

Description A Content-Security-Policy that disables eval is not respected in renderers with sandbox disabled, allowing methods like eval() and new Function to be used unexpectedly, which can result in an expanded attack surface. This issue is related to the script-src directive not including unsafe-eval. The affected renderers have sandbox: false in the webPreferences object.

Recommendations For Electron version 22, upgrade to version 22.0.1. For Electron version 23, upgrade to version 23.0.0-alpha.2. If upgrading is not possible, enable sandbox: true on all renderers as a temporary workaround. Alternatively, enabling contextIsolation: true on all renderers can also address the issue.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-670

Related Identifiers

CVE-2023-23623

GHSA-GXH7-WV9Q-FWFR

OPENSUSE-SU-2024:12869-1

Affected Products

Electron

PT-2023-19083 · Electron · Electron

CVE-2023-23623

Weakness Enumeration

Related Identifiers

Affected Products

References · 16