CVE-2024-44309
Published: 20 November 2024
Summary
CVE-2024-44309 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Apple Ipados. Its CVSS base score is 6.3 (Medium).
Operationally, ranked in the top 23.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Deeper analysis
A cookie management issue was addressed with improved state management in multiple Apple products, resulting in a cross-site scripting vulnerability tracked as CVE-2024-44309 and CWE-79. Affected software includes versions of Safari prior to 18.1.1, iOS and iPadOS prior to 17.7.2 and 18.1.1, macOS Sequoia prior to 15.1.1, and visionOS prior to 2.1.1. The flaw carries a CVSS 3.1 score of 6.3 reflecting network attack vector, low complexity, and no required privileges.
An unauthenticated remote attacker can exploit the issue when a user processes maliciously crafted web content, achieving limited cross-site scripting effects that impact confidentiality, integrity, and availability.
Apple security advisories for the listed updates recommend installing the patches for Safari 18.1.1, iOS 17.7.2, iOS 18.1.1, macOS Sequoia 15.1.1, and visionOS 2.1.1 to resolve the cookie state management weakness.
Apple has stated that the vulnerability may have been actively exploited on Intel-based Mac systems. The associated EPSS score remains low with only minor movement between its current value of 0.0094 and peak of 0.0131.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-41208
Vulnerability details
A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS 18.1.1, macOS Sequoia 15.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to…
more
a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
- CWE(s)
- KEV Date Added
- 21 November 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patches that correct the cookie state-management flaw enabling the XSS.
Requires validation of untrusted web content before cookie or DOM operations, blocking the crafted input that triggers the vulnerability.
Deploys malicious-code protections that can recognize and block web content attempting to exploit the cookie-handling XSS vector.