CVE-2021-32692: 
NixOS vulnerability analysis and mitigation

Activity Watch, a free and open-source automated time tracker, contained a critical vulnerability (CVE-2021-32692) in versions prior to 0.11.0. The vulnerability allowed attackers to execute arbitrary commands on any macOS machine running ActivityWatch. The issue was discovered by Janne Uusitupa and was patched in version 0.11.0 (GitHub Advisory).

The vulnerability stems from improper handling of window titles in the printAppTitle.scpt file. The attack vector involves setting a malicious string as a window title, most commonly through a web browser's page title. The vulnerability has a CVSS v3.1 base score of 9.6 CRITICAL with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, indicating high severity across confidentiality, integrity, and availability impacts (NVD).

Successful exploitation of this vulnerability allows attackers to execute arbitrary commands on affected macOS systems running ActivityWatch. The attack requires user interaction in the form of visiting a malicious website or opening an application with a crafted window title (GitHub Advisory).

Users should upgrade to ActivityWatch version 0.11.0 or later, which includes the security fix. For those unable to upgrade immediately, two workarounds are available: running the latest version of aw-watcher-window from source, or manually patching the printAppTitle.scpt file. The fix changes the default method of fetching window titles and patches the previous method (GitHub Advisory).