Oliver Grubin

**Name of the Vulnerable Software and Affected Versions** Druva version 6.9.0 **Description** An issue in Druva for macOS allows attackers to gain escalated local privileges via the inSyncUpgradeDaemon. **Recommendations** For Druva version 6.9.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Druva version 6.9.0 **Description** An issue in Druva for MacOS allows attackers to gain escalated local privileges via the inSyncDecommission. **Recommendations** For Druva version 6.9.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Druva inSync version 6.9.0 **Description** A command injection issue exists due to an un-sanitized call to the python `os.system` library, allowing attackers to execute arbitrary commands via a crafted payload to the local HTTP server. **Recommendations** For Druva inSync version 6.9.0, update to a newer version that contains a fix for this issue, as using an un-sanitized call to the `os.system` library poses a significant risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Driva inSync version 6.9.0 **Description** The issue allows attackers to force a visit to an arbitrary URL via the `port` parameter to the Electron App, which is a form of URL injection. **Recommendations** For Driva inSync version 6.9.0, consider restricting access to the Electron App until a patch is available. As a temporary workaround, avoid using the `port` parameter in the affected application to minimize the risk of exploitation.