CVE-2018-6823

EUVD-2018-18570
In the VPN client in Mailbutler Shimo before 4.1.5.1 on macOS, the com.feingeist.shimo.helper tool LaunchDaemon implements an unprotected XPC service that can be abused to execute scripts as root.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 56%
Affected Products (NVD)
VendorProductVersion
mailbutlershimo
𝑥
< 4.1.5.1
𝑥
= Vulnerable software versions
References
https://github.com/VerSprite/research/blob/master/advisories/VS-2018-001.md
https://github.com/VerSprite/research/blob/master/advisories/VS-2018-001.md