CVE-2021-32692 (GCVE-0-2021-32692)
Vulnerability from cvelistv5 – Published: 2022-12-23 00:00 – Updated: 2025-04-15 13:30
VLAI
Title
Activity Watch vulnerable to command execution on macOS via printAppTitle.scpt
Summary
Activity Watch is a free and open-source automated time tracker. Versions prior to 0.11.0 allow an attacker to execute arbitrary commands on any macOS machine with ActivityWatch running. The attacker can exploit this vulnerability by having the user visiting a website with the page title set to a malicious string. An attacker could use another application to accomplish the same, but the web browser is the most likely attack vector. This issue is patched in version 0.11.0. As a workaround, users can run the latest version of aw-watcher-window from source, or manually patch the `printAppTitle.scpt` file.
Severity
9.6 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ActivityWatch | Activity Watch |
Affected:
0.11.0 , < 0.11.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:31.116Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ActivityWatch/activitywatch/security/advisories/GHSA-3x6w-q32m-jqf3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-32692",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-15T13:29:31.635060Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T13:30:00.882Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Activity Watch",
"vendor": "ActivityWatch",
"versions": [
{
"lessThan": "0.11.0",
"status": "affected",
"version": "0.11.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Activity Watch is a free and open-source automated time tracker. Versions prior to 0.11.0 allow an attacker to execute arbitrary commands on any macOS machine with ActivityWatch running. The attacker can exploit this vulnerability by having the user visiting a website with the page title set to a malicious string. An attacker could use another application to accomplish the same, but the web browser is the most likely attack vector. This issue is patched in version 0.11.0. As a workaround, users can run the latest version of aw-watcher-window from source, or manually patch the `printAppTitle.scpt` file."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-23T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/ActivityWatch/activitywatch/security/advisories/GHSA-3x6w-q32m-jqf3"
}
],
"source": {
"advisory": "",
"defect": [],
"discovery": "UNKNOWN"
},
"title": "Activity Watch vulnerable to command execution on macOS via printAppTitle.scpt",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32692",
"datePublished": "2022-12-23T00:00:00.000Z",
"dateReserved": "2021-05-12T00:00:00.000Z",
"dateUpdated": "2025-04-15T13:30:00.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2021-32692",
"date": "2026-06-02",
"epss": "0.00477",
"percentile": "0.65209"
},
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:activitywatch:activitywatch:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.11.0\", \"matchCriteriaId\": \"6309D2D2-8E6B-44D2-A3F7-06AF8530F1FD\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"387021A0-AF36-463C-A605-32EA7DAC172E\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Activity Watch is a free and open-source automated time tracker. Versions prior to 0.11.0 allow an attacker to execute arbitrary commands on any macOS machine with ActivityWatch running. The attacker can exploit this vulnerability by having the user visiting a website with the page title set to a malicious string. An attacker could use another application to accomplish the same, but the web browser is the most likely attack vector. This issue is patched in version 0.11.0. As a workaround, users can run the latest version of aw-watcher-window from source, or manually patch the `printAppTitle.scpt` file.\"}, {\"lang\": \"es\", \"value\": \"Activity Watch es un rastreador de tiempo automatizado gratuito y de c\\u00f3digo abierto. Las versiones anteriores a la 0.11.0 permiten a un atacante ejecutar comandos arbitrarios en cualquier m\\u00e1quina macOS con ActivityWatch en ejecuci\\u00f3n. El atacante puede aprovechar esta vulnerabilidad haciendo que el usuario visite un sitio web con el t\\u00edtulo de la p\\u00e1gina configurado como una cadena maliciosa. Un atacante podr\\u00eda utilizar otra aplicaci\\u00f3n para lograr lo mismo, pero el navegador web es el vector de ataque m\\u00e1s probable. Este problema est\\u00e1 solucionado en la versi\\u00f3n 0.11.0. Como workaround, los usuarios pueden ejecutar la \\u00faltima versi\\u00f3n de aw-watcher-window desde el c\\u00f3digo fuente o parchear manualmente el archivo `printAppTitle.scpt`.\"}]",
"id": "CVE-2021-32692",
"lastModified": "2024-11-21T06:07:32.587",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\", \"baseScore\": 9.6, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 6.0}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\", \"baseScore\": 9.6, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 6.0}]}",
"published": "2022-12-23T03:15:07.623",
"references": "[{\"url\": \"https://github.com/ActivityWatch/activitywatch/security/advisories/GHSA-3x6w-q32m-jqf3\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/ActivityWatch/activitywatch/security/advisories/GHSA-3x6w-q32m-jqf3\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-77\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-78\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-32692\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-12-23T03:15:07.623\",\"lastModified\":\"2024-11-21T06:07:32.587\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Activity Watch is a free and open-source automated time tracker. Versions prior to 0.11.0 allow an attacker to execute arbitrary commands on any macOS machine with ActivityWatch running. The attacker can exploit this vulnerability by having the user visiting a website with the page title set to a malicious string. An attacker could use another application to accomplish the same, but the web browser is the most likely attack vector. This issue is patched in version 0.11.0. As a workaround, users can run the latest version of aw-watcher-window from source, or manually patch the `printAppTitle.scpt` file.\"},{\"lang\":\"es\",\"value\":\"Activity Watch es un rastreador de tiempo automatizado gratuito y de c\u00f3digo abierto. Las versiones anteriores a la 0.11.0 permiten a un atacante ejecutar comandos arbitrarios en cualquier m\u00e1quina macOS con ActivityWatch en ejecuci\u00f3n. El atacante puede aprovechar esta vulnerabilidad haciendo que el usuario visite un sitio web con el t\u00edtulo de la p\u00e1gina configurado como una cadena maliciosa. Un atacante podr\u00eda utilizar otra aplicaci\u00f3n para lograr lo mismo, pero el navegador web es el vector de ataque m\u00e1s probable. Este problema est\u00e1 solucionado en la versi\u00f3n 0.11.0. Como workaround, los usuarios pueden ejecutar la \u00faltima versi\u00f3n de aw-watcher-window desde el c\u00f3digo fuente o parchear manualmente el archivo `printAppTitle.scpt`.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":9.6,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":9.6,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:activitywatch:activitywatch:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.11.0\",\"matchCriteriaId\":\"6309D2D2-8E6B-44D2-A3F7-06AF8530F1FD\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"387021A0-AF36-463C-A605-32EA7DAC172E\"}]}]}],\"references\":[{\"url\":\"https://github.com/ActivityWatch/activitywatch/security/advisories/GHSA-3x6w-q32m-jqf3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/ActivityWatch/activitywatch/security/advisories/GHSA-3x6w-q32m-jqf3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"title\": \"Activity Watch vulnerable to command execution on macOS via printAppTitle.scpt\", \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-12-23T00:00:00.000Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Activity Watch is a free and open-source automated time tracker. Versions prior to 0.11.0 allow an attacker to execute arbitrary commands on any macOS machine with ActivityWatch running. The attacker can exploit this vulnerability by having the user visiting a website with the page title set to a malicious string. An attacker could use another application to accomplish the same, but the web browser is the most likely attack vector. This issue is patched in version 0.11.0. As a workaround, users can run the latest version of aw-watcher-window from source, or manually patch the `printAppTitle.scpt` file.\"}], \"affected\": [{\"vendor\": \"ActivityWatch\", \"product\": \"Activity Watch\", \"versions\": [{\"version\": \"0.11.0\", \"status\": \"affected\", \"lessThan\": \"0.11.0\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://github.com/ActivityWatch/activitywatch/security/advisories/GHSA-3x6w-q32m-jqf3\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 9.6, \"baseSeverity\": \"CRITICAL\"}}], \"problemTypes\": [{\"descriptions\": [{\"type\": \"CWE\", \"lang\": \"en\", \"description\": \"CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)\", \"cweId\": \"CWE-77\"}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.0.9\"}, \"source\": {\"defect\": [], \"advisory\": \"\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T23:25:31.116Z\"}, \"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/ActivityWatch/activitywatch/security/advisories/GHSA-3x6w-q32m-jqf3\", \"tags\": [\"x_transferred\"]}]}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2021-32692\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-15T13:29:31.635060Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-15T13:29:54.999Z\"}}]}",
"cveMetadata": "{\"state\": \"PUBLISHED\", \"cveId\": \"CVE-2021-32692\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"assignerShortName\": \"GitHub_M\", \"dateUpdated\": \"2025-04-15T13:30:00.882Z\", \"dateReserved\": \"2021-05-12T00:00:00.000Z\", \"datePublished\": \"2022-12-23T00:00:00.000Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…