Mathieu Farrell

**Name of the Vulnerable Software and Affected Versions** Intego Log Reporter (affected versions not specified) **Description** Intego Log Reporter, a macOS diagnostic utility, has a local privilege escalation issue. A diagnostic script executed as root creates and writes files in /tmp without secure directory handling, leading to a time-of-check to time-of-use (TOCTOU) race condition. A local user can exploit a symlink-based race condition to achieve arbitrary file writes to privileged system locations, resulting in root-level access. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Intego Personal Backup (affected versions not specified) **Description** Intego Personal Backup, a macOS backup utility, has a local privilege escalation issue. Backup task definitions are stored in a writable location for non-privileged users but are processed with elevated privileges. A local attacker can exploit this by creating a malicious serialized task file to trigger arbitrary file writes to sensitive system locations, potentially gaining root access. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Citrix Secure Access Client for Mac (affected versions not specified) **Description** The issue allows an attacker to gain application privileges, enabling them to perform limited modifications and read arbitrary data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Citrix Secure Access Client for Mac (affected versions not specified) **Description** An attacker can gain application privileges to perform limited modification and/or read arbitrary data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Apache Superset versions prior to 4.1.0 Description: The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, allowing attackers to bypass SQL authorization. The affected functions include `query to xml and xmlschema`, `table to xml`, and `table to xml and xmlschema`. This vulnerability may allow a remote attacker to execute arbitrary SQL code. Recommendations: For versions prior to 4.1.0, upgrade to version 4.1.0 to fix the issue. Alternatively, add the Postgres functions `query to xml and xmlschema`, `table to xml`, and `table to xml and xmlschema` to the config set `DISALLOWED SQL FUNCTIONS` as a temporary workaround.