Strix
26.1K

CVE-2020-26272

MEDIUMCVSS 6.5/10EPSS 1.77%

Last modified

CVE-2020-26272 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. The Electron framework lets users write cross-platform desktop applications using JavaScript, HTML and CSS. In versions of Electron IPC prior to 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9, messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame. EPSS estimates a 1.77% chance of exploitation in the next 30 days.

Description

The Electron framework lets users write cross-platform desktop applications using JavaScript, HTML and CSS. In versions of Electron IPC prior to 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9, messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame. If your app uses remote, calls webContents.sendToFrame, or calls event.reply in an IPC message handler then it is impacted by this issue. This has been fixed in versions 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9. There are no known workarounds for this issue.

Metrics

CVSS 3.1
6.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

EPSS Probability
1.77%

75.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
ElectronjsElectron>= 9.0.0, < 9.4.0
ElectronjsElectron>= 10.0.0, < 10.2.0
ElectronjsElectron>= 11.0.0, < 11.1.0
ElectronjsElectron9.0.0Beta1
ElectronjsElectron10.0.0Beta1
ElectronjsElectron11.0.0Beta1
ElectronjsElectron12.0.0Beta1

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2020-26272?
The Electron framework lets users write cross-platform desktop applications using JavaScript, HTML and CSS. In versions of Electron IPC prior to 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9, messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame. If your app uses remote, calls webContents.sendToFrame, or calls event.reply in an IPC message handler then it is impacted by this issue. This has been fixed in versions 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9. There are no known workarounds for this issue.
How severe is CVE-2020-26272?
CVE-2020-26272 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 1.77% probability of exploitation in the next 30 days.
How do I fix CVE-2020-26272?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-26272?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST