{ "affected": [ { "database_specific": { "unresolved_ranges": [ { "events": [ { "introduced": "0" }, { "last_affected": "1.8.2-beta1" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "1.8.2-beta2" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "1.8.2-beta3" } ] } ] }, "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "1.7.10" }, { "introduced": "0" }, { "last_affected": "1.6.15" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "378666668f49d3472ba7c456d97950e59ace082c" }, { "introduced": "0" }, { "last_affected": "5a44e7c0585be55fd32ff1992d11af7934d90eb2" }, { "fixed": "a1f23064e193aa1629d743125a2ae1bc55085f99" } ], "repo": "https://github.com/electron/electron", "type": "GIT" } ] } ], "details": "GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, 1.6.15 and earlier has a vulnerability in the protocol handler, specifically Electron apps running on Windows 10, 7 or 2008 that register custom protocol handlers can be tricked in arbitrary command execution if the user clicks on a specially crafted URL. This has been fixed in versions 1.8.2-beta.4, 1.7.11, and 1.6.16.", "id": "CVE-2018-1000006", "modified": "2026-03-15T13:50:11.767530405Z", "published": "2018-01-24T23:29:00.497Z", "references": [ { "type": "WEB", "url": "https://medium.com/%40Wflki/exploiting-electron-rce-in-exodus-wallet-d9e6db13c374" }, { "type": "WEB", "url": "https://www.exploit-db.com/exploits/44357/" }, { "type": "ADVISORY", "url": "http://www.securityfocus.com/bid/102796" }, { "type": "ADVISORY", "url": "https://electronjs.org/blog/protocol-handler-fix" }, { "type": "FIX", "url": "https://github.com/electron/electron/releases/tag/v1.8.2-beta.4" }, { "type": "EVIDENCE", "url": "https://www.exploit-db.com/exploits/43899/" } ], "severity": [ { "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ] }