Feb. 2, 2024, 3:31 p.m. |

Packet Storm packetstormsecurity.com

WebCatalog versions prior to 48.8 call the Electron shell.openExternal function without verifying that the URL is for an http or https resource. This vulnerability allows an attacker to potentially execute code through arbitrary protocols on the victims machine by having users sync pages with malicious URLs. The victim has to interact with the link, which can then enable an attacker to bypass security measures for malicious file delivery.

attacker call code code execution electron function http https machine malicious malicious urls protocol protocols resource shell sync url urls victim vulnerability

DevSecOps Automation Engineer

@ Peraton | Offutt AFB, NE, United States

Privacy Officer - Engagement & Support

@ Nova Scotia Health Authority | Halifax, NS, CA, B3H 2Y9

Life Sciences Industry Consultant

@ Emerson | ENGLAND, United Kingdom

Consultant, Valuation Services

@ Kroll | Mumbai, India

OT Security Architect

@ Essar Oil (UK) Limited | Cheshire, GB, CH65 4HB

Senior Information Security Advisor (Cloud)

@ Scotiabank | Toronto, ON, CA, M1K5L1