CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-21606 – Local Privilege Escalation via Exposed XPC Method Due to Client Verification Failure in stats
https://notcve.org/view.php?id=CVE-2025-21606
17 Jan 2025 — stats is a macOS system monitor in for the menu bar. The Stats application is vulnerable to a local privilege escalation due to the insecure implementation of its XPC service. The application registers a Mach service under the name `eu.exelban.Stats.SMC.Helper`. The associated binary, eu.exelban.Stats.SMC.Helper, is a privileged helper tool designed to execute actions requiring elevated privileges on behalf of the client, such as setting fan modes, adjusting fan speeds, and executing the `powermetrics` comm... • https://github.com/exelban/stats/commit/c10759f7a186efdd82ddd818dae2ac1f853691fc • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 8.5EPSS: 0%CPEs: 22EXPL: 0CVE-2025-0396 – exelban stats XPC Service shouldAcceptNewConnection command injection
https://notcve.org/view.php?id=CVE-2025-0396
12 Jan 2025 — A vulnerability, which was classified as critical, has been found in exelban stats up to 2.11.21. This issue affects the function shouldAcceptNewConnection of the component XPC Service. The manipulation leads to command injection. It is possible to launch the attack on the local host. Upgrading to version 2.11.22 is able to address this issue. • https://github.com/exelban/stats/releases/tag/v2.11.22 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-18291
https://notcve.org/view.php?id=CVE-2017-18291
12 Jun 2018 — An issue was discovered in PvPGN Stats 2.4.6. SQL Injection exists in ladder/stats.php via the GET user parameter. Se ha descubierto un problema en PvPGN Stats 2.4.6. Existe una inyección SQL en ladder/stats.php mediante el parámetro GET user. • https://rchase.com/blog/posts/pvpgn-stats-multiple-sql-injection-vulnerabilities • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-18288
https://notcve.org/view.php?id=CVE-2017-18288
12 Jun 2018 — An issue was discovered in PvPGN Stats 2.4.6. SQL Injection exists in ladder/stats.php via the GET game parameter. Se ha descubierto un problema en PvPGN Stats 2.4.6. Existe una inyección SQL en ladder/stats.php mediante el parámetro GET game. • https://rchase.com/blog/posts/pvpgn-stats-multiple-sql-injection-vulnerabilities • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-18287
https://notcve.org/view.php?id=CVE-2017-18287
12 Jun 2018 — An issue was discovered in PvPGN Stats 2.4.6. SQL Injection exists in ladder/stats.php via the POST user_search parameter. Se ha descubierto un problema en PvPGN Stats 2.4.6. Existe una inyección SQL en ladder/stats.php mediante el parámetro POST user_search. • https://rchase.com/blog/posts/pvpgn-stats-multiple-sql-injection-vulnerabilities • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-18290
https://notcve.org/view.php?id=CVE-2017-18290
12 Jun 2018 — An issue was discovered in PvPGN Stats 2.4.6. SQL Injection exists in ladder/stats.php via the GET sort_direction parameter. Se ha descubierto un problema en PvPGN Stats 2.4.6. Existe una inyección SQL en ladder/stats.php mediante el parámetro GET sort_direction. • https://rchase.com/blog/posts/pvpgn-stats-multiple-sql-injection-vulnerabilities • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-18289
https://notcve.org/view.php?id=CVE-2017-18289
12 Jun 2018 — An issue was discovered in PvPGN Stats 2.4.6. SQL Injection exist in ladder/stats.php via the GET type parameter. Se ha descubierto un problema en PvPGN Stats 2.4.6. Existe una inyección SQL en ladder/stats.php mediante el parámetro GET type. • https://rchase.com/blog/posts/pvpgn-stats-multiple-sql-injection-vulnerabilities • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •