← back
CVE-2023-37450

CVE-2023-37450

CVSS 8.8 HIGHEPSS 18.2%● KEV
In short

A vulnerability in how Apple devices process web content could allow an attacker to run malicious code on your device just by visiting a compromised website. This is a serious flaw that Apple says has been actively exploited.

Technical detail

A memory corruption vulnerability in WebKit's web content processing engine allows arbitrary code execution with the privileges of the rendering process. The attack vector is remote and requires only user interaction (visiting a malicious webpage); no special access or authentication is needed. Apple confirmed active exploitation in the wild.

Summary generated and translated by AI from the official description.
The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, Safari 16.5.2, tvOS 16.6, macOS Ventura 13.5, watchOS 9.6. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
Apple · iOS and iPadOSApple · macOSApple · SafariApple · tvOSApple · watchOS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://security.gentoo.org/glsa/202401-04https://support.apple.com/en-us/HT213826https://support.apple.com/en-us/HT213841https://support.apple.com/en-us/HT213843https://support.apple.com/en-us/HT213846https://support.apple.com/en-us/HT213848https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-37450