CVE-2021-47849

CVE-2021-47849 is a path traversal vulnerability in Mini Mouse version 9.3.0, a remote control application available on the Apple App Store. The flaw affects the device information endpoint, where attackers can manipulate file path parameters in API requests to access sensitive system directories such as /usr, /etc, and /var, enabling retrieval of file lists from these locations. Mapped to CWE-22, it carries a CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating medium severity with high confidentiality impact but no integrity or availability disruption.

Local attackers can exploit this vulnerability without privileges or user interaction, as the low attack complexity and local vector (AV:L) suggest access to the same system or device running the affected application. Successful exploitation allows reading arbitrary files from protected directories, potentially exposing configuration data, credentials, or other sensitive information stored in /etc, /usr, or /var, which could aid further attacks like privilege escalation or lateral movement.

Advisories from Vulncheck detail the local file inclusion via path traversal, while Exploit-DB hosts a proof-of-concept exploit (ID 49747) demonstrating the issue. No specific patches are mentioned in the provided references, but practitioners should verify updates via the application's App Store listing and avoid version 9.3.0 on affected devices.

A public exploit is available on Exploit-DB, indicating potential for real-world abuse by local adversaries targeting macOS or iOS environments where Mini Mouse is installed.