electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.3.8, a command injection vulnerability exists in github.com/elcterm/electerm/npm/install.js:150. The runMac() function appends attacker-controlled remote releaseInfo.name directly into an exec("open ...") command without validation. This issue has been patched in version 3.3.8.
The runMac() function in the npm/install.js file (line 150) directly concatenates the value of the releaseInfo.name field — controlled by an attacker and retrieved from a remote source — to the exec("open ...") command without any sanitization or validation. An attacker can craft the releaseInfo.name value to inject additional system commands that will be executed in the context of the application process. It is sufficient for the application to retrieve malicious data from a spoofed or compromised update server.
An attacker can remotely execute arbitrary system commands on the victim's machine without authentication, leading to complete compromise of confidentiality, integrity, and availability of the system (full RCE).
Update electerm to version 3.3.8 or newer, in which the vulnerability has been removed. Patch available in the official GitHub repository of the project (tag v3.3.8).
Electerm Project electerm — all versions before 3.3.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HElecterm Project Electerm
APPElecterm Project< 3.3.8
Related vulnerabilities
Krytyczna podatność w kliencie electerm (wersje 3.0.6–3.8.8)
Command injection w Electerm — wstrzyknięcie polecenia przez zdalny ciąg wersji
RCE w Electerm — brak walidacji protokołu URL w handlerze hiperłączy
RCE w electerm — wykonanie kodu przez deep links i spreparowane skróty
An issue was discovered in Electerm 1.3.22, allows attackers to execute arbitrary code via unverified request ...