Summary
Camunda Modeler depended in v5.7.0-5.12.1 on versions of Electron which are reported to be vulnerable via GHSA-j7hp-h8jx-5ppr
Details
The reported libwebp vulnerability requires to load a malicious image into the browser. Camunda Modeler loads 3rd-party images in Forms editor via image entry, and in BPMN editor via element template icon. The potential vector of attack would be to make the user open a diagram or a form from insecure source. There is no PoC on such attack on Camunda Modeler though.
Impact
As in the linked advisory.
barmac Reporter
Summary
Camunda Modeler depended in v5.7.0-5.12.1 on versions of Electron which are reported to be vulnerable via GHSA-j7hp-h8jx-5ppr
Details
The reported libwebp vulnerability requires to load a malicious image into the browser. Camunda Modeler loads 3rd-party images in Forms editor via image entry, and in BPMN editor via element template icon. The potential vector of attack would be to make the user open a diagram or a form from insecure source. There is no PoC on such attack on Camunda Modeler though.
Impact
As in the linked advisory.