Apple Safari and macOS Cookie Management Vulnerability Leading to XSS
CVE-2024-44309 Published on November 20, 2024
A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, macOS Sequoia 15.1.1, iOS 18.1.1 and iPadOS 18.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
Known Exploited Vulnerability
This Apple Multiple Products Cross-Site Scripting (XSS) Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Apple iOS, macOS, and other Apple products contain an unspecified vulnerability when processing maliciously crafted web content that may lead to a cross-site scripting (XSS) attack.
The following remediation steps are recommended / required by December 12, 2024: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2024-44309 can be exploited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2024-44309 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2024-44309
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-44309 are published in these products:
Affected Versions
Apple Safari:- Version unspecified and below 18.1 is affected.
- Version unspecified and below 15.1 is affected.
- Version unspecified and below 18.1 is affected.
- Version unspecified and below 2.1 is affected.
- Version unspecified and below 17.7 is affected.
- Before 18.1 is affected.
- Before 15.1 is affected.
- Before 2.1 is affected.
- Before 17.7 is affected.
- Version 18.0 and below 18.1 is affected.
- Before 17.7 is affected.
- Version 18.0 and below 18.1 is affected.
- Before 17.7 is affected.
- Version 18.0 and below 18.1 is affected.
- Before 17.7 is affected.
- Version 18.0 and below 18.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.