CVE-2018-1000118
Electron protocol handler browser vulnerable to Command Injection
8.8
HIGH
CVSS 3.1
EPSS 5.2%
Description
Github Electron version Electron 1.8.2-beta.4 and earlier contains a Command Injection vulnerability in Protocol Handler that can result in command execute. This attack appear to be exploitable via the victim opening an electron protocol handler in their browser. This vulnerability appears to have been fixed in Electron 1.8.2-beta.5. This issue is due to an incomplete fix for CVE-2018-1000006, specifically the black list used was not case insensitive allowing an attacker to potentially bypass it.
How to fix CVE-2018-1000118
To remediate CVE-2018-1000118, upgrade the affected package to a fixed version below.
- —upgrade to 1.8.2-beta5 or later
Is CVE-2018-1000118 being exploited?
Moderate — EPSS is 5.2%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- from 0, < 1.8.2-beta5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |