Vulnerability Description
Miro Desktop 0.8.18 on macOS allows local Electron code injection via a complex series of steps that might be usable in some environments (bypass a kTCCServiceSystemPolicyAppBundles requirement via a file copy, an app.app/Contents rename, an asar modification, and a rename back to app.app/Contents).
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Miro | Miro | 0.8.18 |
| Apple | Macos | - |
Related Weaknesses (CWE)
References
- https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalatExploitThird Party Advisory
- https://github.com/louiselalanne/CVE-2024-23746ExploitThird Party Advisory
- https://miro.com/about/Product
- https://www.electronjs.org/blog/statement-run-as-node-cves
- https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalatExploitThird Party Advisory
- https://github.com/louiselalanne/CVE-2024-23746ExploitThird Party Advisory
- https://miro.com/about/Product
- https://www.electronjs.org/blog/statement-run-as-node-cves
FAQ
What is CVE-2024-23746?
CVE-2024-23746 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Miro Desktop 0.8.18 on macOS allows local Electron code injection via a complex series of steps that might be usable in some environments (bypass a kTCCServiceSystemPolicyAppBundles requirement via a ...
How severe is CVE-2024-23746?
CVE-2024-23746 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-23746?
Check the references section above for vendor advisories and patch information. Affected products include: Miro Miro, Apple Macos.