2 matches found
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the Downloader.xpc service. A local unprivileged attacker can access and copy files protected by TCC permissions by registering the service globally and exploiting the lack of client validation. Workaround Th...
CVE-2025-10015
The Sparkle framework’s Downloader.xpc XPC service can be registered globally by a local, unprivileged attacker, causing the service to inherit the app’s TCC permissions. The root cause is lack of validation of the connecting client, allowing copying of TCC-protected files to arbitrary locations;...