cbcvebase.
CVE-2018-15685
published 2018-08-23

CVE-2018-15685: GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options…

PriorityP262high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
10.43%
95.2th percentile
GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a WebPreferences vulnerability that can be leveraged to perform remote code execution.

Affected

8 ranges
VendorProductVersion rangeFixed in
electronelectron>= 1.7.0 < 1.7.161.7.16
electronelectron>= 1.8.0 < 1.8.81.8.8
electronelectron>= 2.0.0 < 2.0.82.0.8
electronelectron>= 3.0.0-beta.1 < 3.0.0-beta.73.0.0-beta.7
electronjselectron
electronjselectron
electronjselectron
electronjselectron

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/matt-/CVE-2018-15685
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45272.zip
  • Look for Electron apps using 'nativeWindowOpen: true' or 'sandbox: true' WebPreferences options combined with nested IFRAME elements, as these configurations are the prerequisite for exploitation.
  • Target Electron versions 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6 for patching/detection prioritization; processes running these versions are exploitable.
  • Monitor for Electron renderer processes where nodeIntegration is disabled but child windows are spawned via nested IFRAMEs — exploitation re-enables node bindings through WebPreferences inheritance bypass.
  • Detect exploitation attempts originating from XSS or remotely controlled URLs within Electron-rendered pages that attempt to open child windows.
  • ·The vulnerability only manifests under specific WebPreferences configurations; apps NOT using 'nativeWindowOpen: true' or 'sandbox: true' with nested child windows are not affected.
  • ·The PoC main.js deliberately disables nodeIntegration in the main process, demonstrating that the bypass works even when nodeIntegration is explicitly set to false — detection rules should not rely solely on nodeIntegration=true as an indicator.

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.