A security has been found in Oracle VM VirtualBox prior to verision 6.1.20. The issue is in the script "vboxautostart-service.sh" which is distributed by Oracle as part of their virtualbox RPMs. By default this script is not used but it can be enabled by an administrator.
In the context of the autostart feature a directory "$VBOXAUTOSTART_DB" (by default /etc/vbox) is used. Local users in the system are granted write access to this directory. Users are supposed to create files of the form "<username>.start" to configure autostarting of their respective virtualbox VMs. By creating a file with a crafted name, such as "$VBOXAUTOSTART_DB/--evil.start", users are able to pass arbitrary command line flags to the "su" utility invoked by "vboxautostart-service.sh". While this does not lead to a full local root exploit due to the fact that filenames cannot contain '/' characters and that the attacker cannot influence the command that is run, it could be a successful attack vector when combined with other security issues.
Beyond this any member of the vboxusers group can influence the autostart settings of other users, as long as the victim user is allowed to autostart via /etc/vbox/autostart.cfg.