Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS12M3dyLTY3cHgtNDR4Z80v7Q

Execution with Unnecessary Privileges in arc-electron

Impact

When the end-user click on the response header that contains a link the target will be opened in ARC new window. This window will have the default preload script loaded which allows the scripts embedded in the link target to execute any logic that ARC has access to from the renderer process, which includes file system access, data store access (which may contain sensitive information), and some additional processes that only ARC should have access to.

Patches

This is patched in version 17.0.9.

Workarounds

Do not click onto any link in the response headers view.

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-v3wr-67px-44xg
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12M3dyLTY3cHgtNDR4Z80v7Q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: over 1 year ago


Identifiers: GHSA-v3wr-67px-44xg
References: Repository: https://github.com/advanced-rest-client/arc-electron
Blast Radius: 0.0

Affected Packages

npm:@advanced-rest-client/base
Dependent packages: 5
Dependent repositories: 7
Downloads: 21 last month
Affected Version Ranges: < 0.1.10
Fixed in: 0.1.10
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9
All unaffected versions: 0.1.10