CVE-2021-32692 CRITICAL

CVE-2021-32692: Activity Watch vulnerable to command execution on macOS via printAppTitle.scpt

Vendor Activitywatch
Product Activity Watch
Weakness CWE-77
Published December 23, 2022
Last update April 15, 2025

CVSS base score

9.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Activity Watch is a free and open-source automated time tracker. Versions prior to 0.11.0 allow an attacker to execute arbitrary commands on any macOS machine with ActivityWatch running. The attacker can exploit this vulnerability by having the user visiting a website with the page title set to a malicious string. An attacker could use another application to accomplish the same, but the web browser is the most likely attack vector. This issue is patched in version 0.11.0. As a workaround, users can run the latest version of aw-watcher-window from source, or manually patch the `printAppTitle.scpt` file.

Key dates

02Disclosure timeline

December 23, 2022 CVE published
April 15, 2025 Record updated

Related vulnerabilities

04Related CVE