On December 12th, 2023, TD Bank was notified through their responsible disclosure system that TD Advanced Dashboard version 3.0.3 was vulnerable to arbitrary code execution.
- TD Advanced Dashboard
- Affected: 3.0.3 and older
- Fixed: 3.0.4
Due to TD Advanced Dashboard being built with Electron v9.3.1, the Electron framework implements the ELECTRON_RUN_AS_NODE environment variable without the ability to disable the feature. Therefore a local attacker can set this environment variable and execute arbitrary code under the context of TD Advanced Dashboard.
With TD Advanced Dashboard v3.0.4, TD Bank opted to upgrade the Electron backend to v12.2.3 and set the RunAsNode fuse to false.
| Sender | Topic | Date |
|---|---|---|
| RIPEDA | Vulnerability discovered | December 12th, 2023 |
| RIPEDA | Vulnerability reported to TD Bank | December 12th, 2023 |
| TD Bank | Confirmation of report | December 14th, 2023 |
| RIPEDA | Associated vulnerability with CVE-2023-50975 | December 18th, 2023 |
| TD Bank | Vulnerability patched in 3.0.4 and released to customers | January 16th, 2024 |
| RIPEDA | Begun 30 day countdown for official disclosure | January 16th, 2024 |
| RIPEDA | Request for link to public advisory/release notes | February 6th, 2024 |
| TD Bank | Response, forwarded to app team | February 8th, 2024 |
| RIPEDA | Request for update regarding public advisory/release notes | February 14th, 2024 |
| TD Bank | Response, no update | February 15th, 2024 |
| RIPEDA | Requested CVE publication from MITRE | February 15th, 2024 |
| MITRE | Request for public reference (ex. GitHub gist) | February 16th, 2024 |
| RIPEDA | Create GitHub gist, reply to MITRE | February 18th, 2024 |
| MITRE | Published CVE | February 21st, 2024 |