CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-21606 – Local Privilege Escalation via Exposed XPC Method Due to Client Verification Failure in stats
https://notcve.org/view.php?id=CVE-2025-21606
17 Jan 2025 — stats is a macOS system monitor in for the menu bar. The Stats application is vulnerable to a local privilege escalation due to the insecure implementation of its XPC service. The application registers a Mach service under the name `eu.exelban.Stats.SMC.Helper`. The associated binary, eu.exelban.Stats.SMC.Helper, is a privileged helper tool designed to execute actions requiring elevated privileges on behalf of the client, such as setting fan modes, adjusting fan speeds, and executing the `powermetrics` comm... • https://github.com/exelban/stats/commit/c10759f7a186efdd82ddd818dae2ac1f853691fc • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 8.5EPSS: 0%CPEs: 22EXPL: 0CVE-2025-0396 – exelban stats XPC Service shouldAcceptNewConnection command injection
https://notcve.org/view.php?id=CVE-2025-0396
12 Jan 2025 — A vulnerability, which was classified as critical, has been found in exelban stats up to 2.11.21. This issue affects the function shouldAcceptNewConnection of the component XPC Service. The manipulation leads to command injection. It is possible to launch the attack on the local host. Upgrading to version 2.11.22 is able to address this issue. • https://github.com/exelban/stats/releases/tag/v2.11.22 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •