Skip to content
/ CVE-2023-49314 Public

Asana Desktop 2.1.0 on macOS allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode and enableNodeCliInspectArguments, and thus r3ggi/electroniz3r can be used to perform an attack.

6 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

louiselalanne/CVE-2023-49314

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
README.md
README.md
 
 

Repository files navigation

CVE-2023-49314

Asana Desktop 2.1.0 on macOS allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode and enableNodeCliInspectArguments, and thus electroniz3r can be used to perform an attack.

Captura de Tela 2023-11-27 às 20 07 12

There is a tool designed to automate the process of searching for vulnerabilities in electron: https://github.com/r3ggi/electroniz3r

  • We'll check if the application is vulnerable:

Captura de Tela 2023-11-27 às 19 56 55

  • Now we can inject a bind shell:

Captura de Tela 2023-11-27 às 19 59 19

  • And we got our shell

Captura de Tela 2023-11-27 às 19 59 59

About

Asana Desktop 2.1.0 on macOS allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode and enableNodeCliInspectArguments, and thus r3ggi/electroniz3r can be used to perform an attack.

Resources

Readme
Activity

Stars

6 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published