A cybersecurity researcher has published details of CVE-2020-9922 vulnerability affecting the Mail application on macOS. Exploitation requires to send the victim an email with two .ZIP attachments.

In fact, it is 0-click flaw that allows to add or modify any arbitrary file inside the Apple Mail app’s sandbox environment.

Successful exploitation of a bug can give an attacker access to confidential information, as well as the ability to modify Mail application configuration.

Moreover, the CVE-2020-9922 flaw can be used for worm-like attacks, in which case some malicious files will be sent from the victims. CVE-2020-9922 is rated 6.5 on the CVSS scale, making it medium-severity.

Apple has already patched the vulnerability with the release of macOS Mojave 10.14.6, macOS High Sierra 10.13.6 and macOS Catalina 10.15.5.

Source: anti-malware.ru