Simon Bertrand

**Name of the Vulnerable Software and Affected Versions** Plugin Alliance Installation Manager version 1.4.0 **Description** A local privilege escalation issue exists in the InstallationHelper service of Plugin Alliance Installation Manager. The service allows unauthenticated XPC connections and uses `system()` to execute input, potentially enabling a local user to run arbitrary commands with root privileges. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the InstallationHelper service until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Plugin Alliance Installation Manager version 1.4.0 **Description** A local privilege escalation issue exists in the Plugin Alliance InstallationHelper service included with Plugin Alliance Installation Manager on macOS. The absence of a hardened runtime and a RESTRICT segment allows a local user to exploit the DYLD INSERT LIBRARIES environment variable to inject a dynamic library, potentially leading to code execution with elevated privileges. **Recommendations** Update to a newer version of Plugin Alliance Installation Manager.

**Name of the Vulnerable Software and Affected Versions** Aquarius Desktop version 3.0.069 **Description** Aquarius Desktop for macOS has an issue with how it handles files. The application does not properly check files when creating support archives, specifically when dealing with symbolic links within the ~/Library/Logs/Aquarius directory. It follows these links as if they were normal files. This allows a local attacker to potentially read or change files they shouldn't have access to by placing specially crafted symbolic links. If combined with another issue related to elevated privileges (HelperTool), even files owned by the root user could be exposed. The application uses a JUCE directory iterator to enumerate logs and writes file data without verifying if the target is a symbolic link. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Aquarius Desktop version 3.0.069 **Description** Aquarius Desktop stores user authentication credentials in the local file ~/Library/Application Support/Aquarius/aquarius.settings using a weak obfuscation scheme. The password is “encrypted” through predictable byte-substitution that can be trivially reversed, allowing immediate recovery of the plaintext value. An attacker who can read this settings file can fully compromise the victim’s Aquarius account by importing the stolen configuration into their own client or logging in through the vendor website. This results in complete account takeover, unauthorized access to cloud-synchronized data, and the ability to perform authenticated actions as the user. The vulnerable file is located at `~/Library/Application Support/Aquarius/aquarius.settings`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Aquarius HelperTool version 1.0.003 **Description** The Aquarius HelperTool on macOS contains flaws that allow local privilege escalation. The service accepts XPC connections from any local process without validating the client’s identity. Its authorization logic incorrectly calls `AuthorizationCopyRights()` with a NULL reference, causing all authorization checks to succeed. The `executeCommand:authorization:withReply:` method then interpolates attacker-controlled input into `NSTask` and executes it with root privileges. A local attacker can exploit these weaknesses to run arbitrary commands as root, create persistent backdoors, or obtain a fully interactive root shell. **Recommendations** Update to a newer version that contains a fix for this vulnerability.