CVE-2024-23746

CRITICAL

Miro Desktop 0.8.18 - Local Code Injection via Electron App Bundle Manipulation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-23746. PoCs published by louiselalanne.

AI-analyzed exploit summary This repository provides a technical writeup and screenshots demonstrating CVE-2024-23746, an Electron code injection vulnerability in Miro Desktop 0.8.18 on macOS. It references tools like electroniz3r and includes visual proof of vulnerability verification and blind shell injection.

Description

Miro Desktop 0.8.18 on macOS allows local Electron code injection via a complex series of steps that might be usable in some environments (bypass a kTCCServiceSystemPolicyAppBundles requirement via a file copy, an app.app/Contents rename, an asar modification, and a rename back to app.app/Contents).

Exploits (1)

nomisec WRITEUP 3 stars

by louiselalanne · poc

https://github.com/louiselalanne/CVE-2024-23746

View Code ZIP pw:eip

This repository provides a technical writeup and screenshots demonstrating CVE-2024-23746, an Electron code injection vulnerability in Miro Desktop 0.8.18 on macOS. It references tools like electroniz3r and includes visual proof of vulnerability verification and blind shell injection.

Classification

Writeup 80%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Miro Desktop 0.8.18 on macOS

No auth needed

Prerequisites: Access to the target macOS system with Miro Desktop 0.8.18 installed

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory

https://book.hacktricks.xyz/macos-hardening/macos-security-and-privilege-escalation/macos-proces-abuse/macos-electron-applications-injection

Exploit, Third Party Advisory

https://github.com/louiselalanne/CVE-2024-23746

Product

https://miro.com/about/

Various Sources

https://www.electronjs.org/blog/statement-run-as-node-cves

Scores

CVSS v3 9.8

EPSS 0.0129

EPSS Percentile 66.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

miro/miro 0.8.18

Published Feb 02, 2024

Tracked Since Feb 18, 2026