Miro Desktop 0.8.18 on macOS allows local Electron code injection via a complex series of steps that might be usable in some environments (bypass a kTCCServiceSystemPolicyAppBundles requirement via a file copy, an app.app/Contents rename, an asar modification, and a rename back to app.app/Contents).
References
Link | Resource |
---|---|
https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection | Exploit Third Party Advisory |
https://github.com/louiselalanne/CVE-2024-23746 | Exploit Third Party Advisory |
https://miro.com/about/ | Product |
https://www.electronjs.org/blog/statement-run-as-node-cves | |
https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection | Exploit Third Party Advisory |
https://github.com/louiselalanne/CVE-2024-23746 | Exploit Third Party Advisory |
https://miro.com/about/ | Product |
https://www.electronjs.org/blog/statement-run-as-node-cves |
Configurations
Configuration 1 (hide)
AND |
|
History
21 Nov 2024, 08:58
Type | Values Removed | Values Added |
---|---|---|
References | () https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection - Exploit, Third Party Advisory | |
References | () https://github.com/louiselalanne/CVE-2024-23746 - Exploit, Third Party Advisory | |
References | () https://miro.com/about/ - Product | |
References | () https://www.electronjs.org/blog/statement-run-as-node-cves - |
21 Mar 2024, 02:52
Type | Values Removed | Values Added |
---|---|---|
Summary | (en) Miro Desktop 0.8.18 on macOS allows local Electron code injection via a complex series of steps that might be usable in some environments (bypass a kTCCServiceSystemPolicyAppBundles requirement via a file copy, an app.app/Contents rename, an asar modification, and a rename back to app.app/Contents). |
08 Mar 2024, 05:15
Type | Values Removed | Values Added |
---|---|---|
Summary | (en) Miro Desktop 0.8.18 on macOS allows code injection via a complex series of steps that might be usable in some environments (bypass a kTCCServiceSystemPolicyAppBundles requirement via a file copy, an app.app/Contents rename, an asar modification, and a rename back to app.app/Contents). | |
References |
|
10 Feb 2024, 04:09
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:miro:miro:0.8.18:*:*:*:*:*:*:* cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
CWE | CWE-94 | |
References | () https://miro.com/about/ - Product | |
References | () https://github.com/louiselalanne/CVE-2024-23746 - Exploit, Third Party Advisory | |
References | () https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection - Exploit, Third Party Advisory | |
First Time |
Miro
Apple Miro miro Apple macos |
02 Feb 2024, 04:58
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-02-02 02:15
Updated : 2024-11-21 08:58
NVD link : CVE-2024-23746
Mitre link : CVE-2024-23746
CVE.ORG link : CVE-2024-23746
JSON object : View
Products Affected
apple
- macos
miro
- miro
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')