CVE-2024-44309
MEDIUM severity · CVSS 6.3 · Cross-site scripting (XSS) · actively exploited (CISA KEV)
6.3CVSS MEDIUM ● exploited
🔴 Actively exploited in the wild (CISA Known Exploited Vulnerabilities).
Added to KEV 2024-11-21. US federal agencies must patch by 2024-12-12.
Summary
A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS 18.1.1, macOS Sequoia 15.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionRequired
Confidentiality impactLow
Integrity impactLow
Availability impactLow
Exploit probability (EPSS)1%
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Affected products we track (1)
Recommendation
This vulnerability is being actively exploited in the wild — patch affected products urgently. Open any affected product above for its exact safe version.
Additional information
- NVD record
- https://support.apple.com/en-us/121752Advisory
- https://support.apple.com/en-us/121753Advisory
- https://support.apple.com/en-us/121754Advisory
- https://support.apple.com/en-us/121755Advisory
- https://support.apple.com/en-us/121756Advisory
- http://seclists.org/fulldisclosure/2024/Nov/16Advisory
- https://lists.debian.org/debian-lts-announce/2024/12/msg00003.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-44309