electerm 3.7.18

Direct Vulnerabilities

Known vulnerabilities in the electerm package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Use of Password Hash With Insufficient Computational Effort electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Use of Password Hash With Insufficient Computational Effort due to the `encrypt` process. An attacker can compromise the confidentiality and integrity of synced bookmark and profile data by exploiting deterministic encryption with a fixed zero IV, constant KDF salt, and lack of message authentication, allowing them to crack common passwords across installations and perform undetected ciphertext modifications. How to fix Use of Password Hash With Insufficient Computational Effort? Upgrade `electerm` to version 3.9.5 or higher.	<3.9.5
C Improper Verification of Source of a Communication Channel electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Improper Verification of Source of a Communication Channel via the `single-instance socket` process. An attacker can execute arbitrary code by sending a crafted JSON payload from a same-user process, causing the application to create tabs and potentially spawn attacker-controlled local processes. How to fix Improper Verification of Source of a Communication Channel? Upgrade `electerm` to version 3.9.5 or higher.	>=3.0.6 <3.9.5
C Unsafe Dependency Resolution electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Unsafe Dependency Resolution in the handling of protocol URLs or command-line options. An attacker can execute arbitrary local code by enticing a user to click a crafted `electerm://` link, open a malicious shortcut, or launch the application with attacker-controlled `--opts` arguments. This is only exploitable if the application is configured to accept protocol URLs or command-line options from untrusted sources. How to fix Unsafe Dependency Resolution? Upgrade `electerm` to version 3.8.15 or higher.	>=3.0.6 <3.8.15
H Cleartext Storage of Sensitive Information electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in the `getConstants` process, which serializes the entire `process.env` object and exposes it to the renderer context as `window.pre.env`. An attacker can access sensitive environment variables and exfiltrate secrets by executing JavaScript within the renderer, such as through a malicious plugin, cross-site scripting, or terminal hyperlink execution. This is only exploitable if an attacker can execute JavaScript in the renderer context or has local access to the application's "Info" modal. How to fix Cleartext Storage of Sensitive Information? Upgrade `electerm` to version 3.9.5 or higher.	<3.9.5
H Open Redirect electerm is an open-sourced terminal/ssh/telnet/serialport/sftp client Affected versions of this package are vulnerable to Open Redirect in the `shell.openExternal` process. An attacker can execute arbitrary code or access local files by crafting a malicious URI in terminal output and enticing a user to click the displayed link. This can result in the execution of dangerous protocol handlers or the exfiltration of sensitive data. How to fix Open Redirect? There is no fixed version for `electerm`.	>=0.0.0

Vulnerability

Vulnerable Version

Use of Password Hash With Insufficient Computational Effort