Vulnerability Details : CVE-2021-28134
Clipper before 1.0.5 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal API.
Exploit prediction scoring system (EPSS) score for CVE-2021-28134
Probability of exploitation activity in the next 30 days: 3.57%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 91 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2021-28134
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
References for CVE-2021-28134
-
https://github.com/AkashRajpurohit/clipper/pull/14/commits/28f1492a12234cf1e6af85c78bf22ee2f5090d19
fix: check for allowed urls to be opened using shell.openExternal 馃┕ by AkashRajpurohit 路 Pull Request #14 路 AkashRajpurohit/clipper 路 GitHubPatch;Third Party Advisory
-
https://github.com/AkashRajpurohit/clipper/releases/tag/v1.0.5
Release Minor security patch release 路 AkashRajpurohit/clipper 路 GitHubPatch;Third Party Advisory
-
https://github.com/AkashRajpurohit/clipper/issues/13
Potential Command Execution vulnerabilities introduced by preload.js 路 Issue #13 路 AkashRajpurohit/clipper 路 GitHubExploit;Third Party Advisory
-
https://github.com/AkashRajpurohit/clipper/pull/14
fix: check for allowed urls to be opened using shell.openExternal 馃┕ by AkashRajpurohit 路 Pull Request #14 路 AkashRajpurohit/clipper 路 GitHubPatch;Third Party Advisory
Products affected by CVE-2021-28134
- cpe:2.3:a:clipper_project:clipper:*:*:*:*:*:*:*:*