New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability report - please contact #500

silviavali opened this Issue May 8, 2018 · 4 comments


None yet
3 participants

silviavali commented May 8, 2018

I would like to report a vulnerability. Could you please contact me on as I did not manage to find any e-mail from your repo to contact you.



This comment has been minimized.


laurent22 commented May 8, 2018

Contacted, and keeping the issue open for further reference.

@laurent22 laurent22 added the security label May 8, 2018

@laurent22 laurent22 closed this in 494e235 May 9, 2018


This comment has been minimized.


laurent22 commented May 9, 2018

Fix will be available in next release.

@laurent22 laurent22 reopened this May 9, 2018


This comment has been minimized.


foxmask commented May 10, 2018

1.0.90 released

@foxmask foxmask closed this May 10, 2018


This comment has been minimized.

silviavali commented May 10, 2018

"XSS vulnerability evolving into code execution due to enabled nodeIntegration for the renderer process"

Fixed in version 1.0.90
Vulnerable field: Note content field

As Electron-based applications are built using web technologies like HTML, CSS and JS, they
are also prone to be vulnerable to web-based attacks. If a cross-site scripting vulnerability (XSS) is
found in an Electron application, where node integration has been enabled for that particular BrowserWindow instance (XSS+under webPreferences nodeIntegration:True), the attacker has the capability to require node modules like 'os', etc. ..., hence access operating system native primitives. This allows XSS in Electron applications to evolve into code execution.

Payload used for poc:
"><img src=1 onerror="var os = require('os'); var hostname = os.platform(); var homedir = os.homedir(); alert('Host:' + hostname + 'directory: ' + homedir);">


Good reference to Electron related issues:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment