Headline
CVE-2023-43799: The Altair Desktop Client Does Not Sanitize External URLs before passing them to the underlying system
Altair is a GraphQL Client. Prior to version 5.2.5, the Altair GraphQL Client Desktop Application does not sanitize external URLs before passing them to the underlying system. Moreover, Altair GraphQL Client also does not isolate the context of the renderer process. This affects versions of the software running on MacOS, Windows, and Linux. Version 5.2.5 fixes this issue.
Summary:
The Altair GraphQL Client Desktop Application does not sanitize external URLs before passing them to the underlying system. Moreover, Altair GraphQL Client also does not isolate the context of the renderer process.
Platform(s) Affected:
MacOS, Windows, Linux
Steps To Reproduce:
Open the Altair GraphQL Client Desktop Application.
Open the developer tools using shortcuts or remote devtools.
[Open External Site] Within the console, attempt to open a new window with a malformed URL, window.open(‘https://google%20.com’). The application does not sanitize this URL before passing it to the system.
[Open an executable file] Within the developer tools console, execute window.open(‘file:///Applications/Emacs.app’) – observe that, if installed on the system, the Emacs app opens. Essentially, any malicious code that runs in the renderer process can compromise the user’s underlying system.
Credit Information
Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago