← back
CVE-2024-44309

CVE-2024-44309

CVSS 6.3 MEDIUMEPSS 21.0%● KEVCWE-79
In short

A flaw in how Safari handles cookies could allow attackers to inject malicious scripts into web pages you visit, potentially stealing your data or hijacking your session. This has been actively exploited on Intel-based Macs.

Technical detail

A cookie state management vulnerability in Safari enables cross-site scripting (XSS) attacks through maliciously crafted web content. The attack requires user interaction with a compromised or attacker-controlled website and impacts Safari on macOS, iOS, and iPadOS, with documented active exploitation on Intel-based systems.

Summary generated and translated by AI from the official description.
A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS 18.1.1, macOS Sequoia 15.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Affected products
Apple · iOS and iPadOSApple · macOSApple · SafariApple · visionOS

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://seclists.org/fulldisclosure/2024/Nov/16https://lists.debian.org/debian-lts-announce/2024/12/msg00003.htmlhttps://support.apple.com/en-us/121752https://support.apple.com/en-us/121753https://support.apple.com/en-us/121754https://support.apple.com/en-us/121755https://support.apple.com/en-us/121756https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-44309