⚠ Actively exploited
Added to CISA KEV on 2024-11-21. Federal agencies required to patch by 2024-12-12. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..
CVE-2024-44309 — Cross-site Scripting in Apple IOS AND Ipados
Severity
6.3MEDIUMNVD
EPSS
1.3%
top 20.44%
CISA KEV
KEV
Added 2024-11-21
Due 2024-12-12
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedNov 20
KEV addedNov 21
Latest updateDec 9
KEV dueDec 12
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Description
A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS 18.1.1, macOS Sequoia 15.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4
Affected Packages9 packages
Also affects: Debian Linux 11.0
🔴Vulnerability Details
5GHSA▶
GHSA-6cpp-mpjx-cx8v: A cookie management issue was addressed with improved state management↗2024-11-20
OSV
▶
OSV
▶
CVEList
▶