Trust Boundary Violation
CVE-2020-4077
Summary
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass. Code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using both `contextIsolation` and `contextBridge` are affected. This is fixed in versions 9.0.0-beta.21, 8.2.4 and 7.2.4.
- LOW
- NETWORK
- HIGH
- CHANGED
- NONE
- LOW
- HIGH
- HIGH
CWE-501 - Trust Boundary Violation
The product mixes trusted and untrusted data in the same data structure or structured message.
References
Advisory Timeline
- Published