CVE-2024-23746

Name of the Vulnerable Software and Affected Versions Miro Desktop version 0.8.18

Description The issue is related to incorrect code generation management in the Miro digital collaboration platform on macOS, which may allow a remote attacker to execute arbitrary code. The exploitation involves a complex series of steps, including bypassing a kTCCServiceSystemPolicyAppBundles requirement via a file copy, an app.app/Contents rename, an asar modification, and a rename back to app.app/Contents. This might be usable in some environments.

Recommendations For Miro Desktop version 0.8.18, consider disabling the Electron code injection functionality until a patch is available. Restrict access to the app.app/Contents directory to minimize the risk of exploitation. Avoid using the asar modification feature in the affected version until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.