CVE-2025-8533
BaseFortify
Publication date: 2025-08-07
Last updated on: 2025-08-07
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| flexibits | fantastical | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the XPC services of Fantastical, where the listener:shouldAcceptNewConnection method does not properly check client authorization. It unconditionally accepts connection requests from any local process, allowing any local, unprivileged process to connect to the XPC service and access its methods.
How can this vulnerability impact me? :
Because any local, unprivileged process can connect to the XPC service and access its methods, an attacker could potentially exploit this to perform unauthorized actions or access sensitive functionality within Fantastical, leading to potential security risks such as data exposure or unauthorized control.
What immediate steps should I take to mitigate this vulnerability?
Update Fantastical to version 4.0.16 or later, as this version resolves the vulnerability by implementing proper client authorization checks in the XPC services.