How severe is CVE-2023-23623?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2023-23623?

This is classified as CWE-670, which is a common weakness in software security.

CVE-2023-23623 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. A Content-Security-Policy that disables eval, specifically setting a `script-src` directive and _not_ providing `unsafe-eval` in that directive, is not respected in renderers that have sandbox disabled. i.e. `sandbox: false` in the `webPreferences` object. This allows usage of methods like `eval()` and `new Function` unexpectedly which can result in an expanded attack surface. This issue only ever affected the 22 and 23 major versions of Electron and has been fixed in the latest versions of those release lines. Specifically, these versions contain the fixes: 22.0.1 and 23.0.0-alpha.2 We recommend all apps upgrade to the latest stable version of Electron. If upgrading isn't possible, this issue can be addressed without upgrading by enabling `sandbox: true` on all renderers.

Related Vulnerabilities

CVE-2019-17192

CRITICAL

CVSS:9.8(Critical)

The WebRTC component in the Signal Private Messenger application through 4.47.7 for Android processes videoconferencing RTP packets before a callee chooses to answer a call, which might make it easier...

CWE-6702019

CVE-2020-17466

CRITICAL

CVSS:9.8(Critical)

Turcom TRCwifiZone through 2020-08-10 allows authentication bypass by visiting manage/control.php and ignoring 302 Redirect responses.

CWE-6702020

CVE-2020-1914

CRITICAL

CVSS:9.8(Critical)

A logic vulnerability when handling the SaveGeneratorLong instruction in Facebook Hermes prior to commit b2021df620824627f5a8c96615edbd1eb7fdddfc allows attackers to potentially read out of bounds or ...

CWE-6702020

CVE-2021-41153

CRITICAL

CVSS:9.8(Critical)

The evm crate is a pure Rust implementation of Ethereum Virtual Machine. In `evm` crate `< 0.31.0`, `JUMPI` opcode's condition is checked after the destination validity check. However, according to Ge...

CWE-6702021

CVE-2022-21679

CRITICAL

CVSS:9.8(Critical)

Istio is an open platform to connect, manage, and secure microservices. In Istio 1.12.0 and 1.12.1 The authorization policy with hosts and notHosts might be accidentally bypassed for ALLOW action or r...

CWE-6702022

CVE-2022-25745

CRITICAL

CVSS:9.8(Critical)

Memory corruption in modem due to improper input validation while handling the incoming CoAP message

CWE-6702022