We want to provide an update on the recently reported CVE-2024-23748, a vulnerability which relates to certain configurations of the ElectronJS framework and has the potential to impact a number of applications, including Miro.
The security of our users and our product is critically important to us here at Miro, and we take these reports seriously. We have thoroughly researched the potential impact of this vulnerability on the Miro client to clearly understand any exposure it might create. Based on our investigations, we believe that the potential impact is not as severe as reported. We have found an attacker must already have the ability to run applications on a user’s computer to potentially execute code in the context of the Miro application as also clarified in ElectronsJS blog post describing the underlying vulnerability. We have addressed this vulnerability by releasing an updated, patched version of the Miro macOS application.
We strongly encourage users to update to the latest version (0.8.39), which contains the patch for this vulnerability. Most users will receive the update automatically through a restart, but enterprises who centrally manage and distribute their updates will need to proactively update to the latest version.
Additionally, based on our investigation, we believe that the statement from the NVD [1] that this is Remote Code Execution (RCE) is incorrect, as an attacker requires local access to the user’s machine in order to execute this attack. Using a standard CVSS calculation, we consider the rating for this vulnerability to be a Medium. Miro has since contacted the NVD to dispute the accuracy and completeness of the information published.