A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to enable iCloud storage features without user consent.
The vulnerability results from insufficient restrictions (CWE-276 — improper default permissions) in the macOS access control mechanism. An application can exploit this flaw to independently activate iCloud features without requiring user interaction or elevated privileges. Apple fixed the issue by introducing additional restrictions in permission handling.
An attacker or malicious application can enable iCloud data storage features without the user's knowledge, which may lead to unintended transmission of private data to the cloud and compromise user control over their privacy and data.
Update the system to macOS Sequoia 15.4, macOS Sonoma 14.7.5, or macOS Ventura 13.7.5 according to information published by Apple at support.apple.com/en-us/122373, /122374, and /122375
Apple macOS Sequoia before version 15.4, macOS Sonoma before version 14.7.5, macOS Ventura before version 13.7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApple macOS
OSApple13.0 – 13.7.5 (bez)14.0 – 14.7.5 (bez)15.0 – 15.4 (bez)
Related vulnerabilities
Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty
Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu
Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach
Apple — memory corruption (RCE) w przetwarzaniu strumieni audio
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki