CVE-2024-44309

Published Nov 20, 2024

Last updated 3 months ago

Exploit knownCVSS medium 6.1

Overview

Description
A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, macOS Sequoia 15.1.1, iOS 18.1.1 and iPadOS 18.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.
Source
product-security@apple.com
NVD status
Analyzed

Risk scores

CVSS 3.1

Type
Primary
Base score
6.1
Impact score
2.7
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Severity
MEDIUM

Known exploits

Data from CISA

Vulnerability name
Apple Multiple Products Cross-Site Scripting (XSS) Vulnerability
Exploit added on
Nov 21, 2024
Exploit action due
Dec 12, 2024
Required action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Weaknesses

nvd@nist.gov
CWE-79
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-79

Social media

Hype score
Not currently trending

  1. New post from https://t.co/uXvPWJy6tj (CVE-2024-44309 | Apple Safari on Intel Cookie cross site scripting (Nessus ID 211691)) has been published on https://t.co/M3JTGjpXC6

    @WolfgangSesin

    24 Feb 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. I am looking at latest 0-Day exploit attack on Safari (11.2024): CVE-2024-44308: JavaScriptCore DFG compiler logic issue to RCE - nothing new here CVE-2024-44309: WebKit Data Isolation bypass The thing is, there is no sandbox escapes in disclosure. Cve 44309 is a limited CSP… h

    @alisaesage

    18 Dec 2024

    15320 Impressions

    39 Retweets

    196 Likes

    76 Bookmarks

    5 Replies

    1 Quote

  3. CVE-2024-21287 is getting exploited #inthewild. Find out more at https://t.co/zxkLY8Soqk CVE-2024-44309 is getting exploited #inthewild. Find out more at https://t.co/C8QQNSrrFU CVE-2023-28461 is getting exploited #inthewild. Find out more at https://t.co/IogAb7TnOf

    @inthewildio

    3 Dec 2024

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2024-21287 is getting exploited #inthewild. Find out more at https://t.co/zxkLY8Soqk CVE-2024-44309 is getting exploited #inthewild. Find out more at https://t.co/C8QQNSrrFU CVE-2024-44308 is getting exploited #inthewild. Find out more at https://t.co/JGYVH1sML9

    @inthewildio

    3 Dec 2024

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. WebKitGTK and WPE WebKit Security Advisory WSA-2024-0007 https://t.co/FluhJnjQBQ Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2024-44308) and cross site scripting (CVE-2024-44309). May have been actively exploited on Intel-based Mac.

    @oss_security

    27 Nov 2024

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. (CVE-2024-44309 - exploited ITW)[283095]Data Isolation bypass via attacker controlled firstPartyForCookies. `NetworkProcess::allowsFirstPartyForCookies` unconditionally allows cookie access for about:blank or empty firstPartyForCookies URLs. https://t.co/M0Hxy9VDPq @_clem1 https

    @xvonfers

    27 Nov 2024

    1081 Impressions

    2 Retweets

    13 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  7. حملات XSS و اجرای کد مخرب در کمین کاربران Apple به گزارش پایگاه خبری میعاد، دو آسیب‌پذیری بحرانی با شناسه‌های CVE-2024-44308 و CVE-2024-44309 در محصولات Apple کشف شده است که به مهاجم اج... https://t.co/Q3PESoVpqb

    @MiaadNews

    26 Nov 2024

    16 Impressions

    1 Retweet

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Apple released patches for 2 zero-day vuln's in macOS & iOS. Both bugs, linked to processing malicious web content, have been exploited on Intel-based Macs. CVE-2024-44308 allows arbitrary code execution via JavaScriptCore & CVE-2024-44309 enables XSS through WebKit.

    @Cyber_Sec_Raj

    23 Nov 2024

    46 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  9. Aggiornamenti critici per la sicurezza dei dispositivi Apple! Recentemente scoperte vulnerabilità zero-day (CVE-2024-44308, CVE-2024-44309) in macOS Sequoia colpiscono i Mac con processori Intel. Queste falle, che affettano anche iOS, iPadOS e visionOS, consentono attacchi XSS… h

    @cyber_net_now

    23 Nov 2024

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. CVE-2024-38813 is getting exploited #inthewild. Find out more at https://t.co/zNunqRnweA CVE-2024-38812 is getting exploited #inthewild. Find out more at https://t.co/hCViVKqL3t CVE-2024-44309 is getting exploited #inthewild. Find out more at https://t.co/C8QQNSrZvs

    @inthewildio

    22 Nov 2024

    75 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Howdy, @X Don’t forget to update your iPhone! •CVE-2024-44308 Apple Multiple Products Code Execution Vulnerability •CVE-2024-44309 Apple Multiple Products Cross-Site Scripting (XSS) Vulnerability #cybersecuritytips

    @bmwalt

    22 Nov 2024

    36 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  12. #Apple released emergency #security updates to fix two #zeroday #vulnerabilities (CVE-2024-44308 & CVE-2024-44309) that were exploited in attacks on #Intel-based #Mac systems. #Cybersecurity #infosec https://t.co/LRA5kMGiPA https://t.co/DOa0UKDhZf

    @twelvesec

    22 Nov 2024

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2024-44309 #Apple Multiple Products Cross-Site Scripting (XSS) Vulnerability https://t.co/m6rHFBNtJX

    @ScyScan

    21 Nov 2024

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. CISA Adds Three Known Exploited Vulnerabilities to Catalog: CVE-2024-44308 - Apple Code Execution CVE-2024-44309 - Apple XSS CVE-2024-21287 - Oracle Agile PLM Incorrect Authorization https://t.co/oCDbymKEfT https://t.co/Y6IYhEG5eM

    @TMJIntel

    21 Nov 2024

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. 🛡️ We added #Oracle #AgilePLM & #Apple vulnerabilities, CVE-2024-21287, CVE-2024-44308, & CVE-2024-44309, to our Known Exploited Vulnerabilities Catalog. Visit https://t.co/myxOwap1Tf & apply mitigations to protect your org from cyberattacks. #Cybersecurity #InfoSec

    @CISACyber

    21 Nov 2024

    4704 Impressions

    11 Retweets

    24 Likes

    2 Bookmarks

    0 Replies

    2 Quotes

  16. CZ WARNS CRYPTO USERS: UPDATE APPLE DEVICES NOW Binance’s CZ Zhao alerts crypto users to critical macOS and iPhone exploits. Zero-day vulnerabilities CVE-2024-44308 and CVE-2024-44309 let hackers hijack devices and steal crypto keys: Apple’s patches for macOS 15.1.1 and iOS… ht

    @ibcgroupio

    21 Nov 2024

    18749 Impressions

    0 Retweets

    6 Likes

    0 Bookmarks

    11 Replies

    0 Quotes

  17. CZ SAYS: PATCH UP OR LOSE YOUR BAG CZ sounds the alarm—a macOS/iPhone zero-day exploit can jack your crypto. CVE-2024-44308 allows hackers full control; CVE-2024-44309 targets Safari for data theft; Apple rolled out macOS 15.1.1 + iOS 18.1.1—so update or get rekt. Lazarus… htt

    @RoundtableSpace

    21 Nov 2024

    36532 Impressions

    3 Retweets

    21 Likes

    2 Bookmarks

    42 Replies

    0 Quotes

  18. CZ SOUNDS THE ALARM: CRITICAL APPLE EXPLOITS THREATEN CRYPTO Changpeng “CZ” Zhao urges immediate updates to macOS and iOS—vulnerabilities CVE-2024-44308 and CVE-2024-44309 pose a direct risk to crypto users. These flaws enable attackers to execute code, steal data, and… https:/

    @Crypto_TownHall

    21 Nov 2024

    10651 Impressions

    3 Retweets

    11 Likes

    0 Bookmarks

    23 Replies

    0 Quotes

  19. iOS 18.1.1—Update Now Warning Issued To All iPhone Users 🚨 Apple released iOS 18.1.1 with urgent security fixes for CVE-2024-44308 & CVE-2024-44309, addressing web content vulnerabilities. Update now! #iOSUpdate #SecurityFix #iPhone16ProMax https://t.co/a52xMoJJyF

    @StarSnapx

    21 Nov 2024

    100 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. Apple issues urgent macOS & iOS updates to patch 2 zero-days (CVE-2024-44308, CVE-2024-44309) exploited in the wild. Targets Intel-based Macs, allowing code execution & XSS via malicious web content. Update iOS/macOS! More APT attacks suspected. #CVE-2024-44309 #CVE-2024-

    @malwhere018

    21 Nov 2024

    57 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. #SicurezzaInformatica: Apple rilascia aggiornamenti critici! ️ Due vulnerabilità zero-day, identificate nei sistemi Mac Intel (CVE-2024-44308 e CVE-2024-44309), sono state prontamente risolte con l'ultima versione di macOS Sequoia 15.1.1. Gli aggiornamenti includono… https://t.c

    @cyber_net_now

    21 Nov 2024

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. 🚨 Correctifs de sécurité Apple : CVE-2024-44308 & CVE-2024-44309 🚨 Apple corrige deux vulnérabilités critiques dans leurs OS : • CVE-2024-44308 (JavaScriptCore) : exécution de code à distance via contenu web. • CVE-2024-44309 (WebKit) : attaque XSS.

    @MakeinLab

    21 Nov 2024

    55 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  23. 吴说获悉,CZ 发推提醒,如果您使用的是基于 Intel 芯片的 Macbook,请尽快更新,保持安全。苹果公司已确认 macOS 系统出现两个零日漏洞(CVE-2024-44308、CVE-2024-44309)正在被黑客广泛利用,并紧急发布 iOS 18.1.1、macOS Sequoia 15.1.1 和 iOS 17.7.2 安全更新。这两个漏洞由 Google… https://t.co/erRfTdJBMl

    @wublockchain12

    21 Nov 2024

    5888 Impressions

    1 Retweet

    2 Likes

    4 Bookmarks

    2 Replies

    0 Quotes

  24. Aunque la información sobre los exploits es limitada, la compañía informó que los sistemas Mac basados ​​en Intel han sido atacados por cibercriminales que buscan explotar CVE-2024-44308 y CVE-2024-44309. #OpenSpring #ciberseguridad @DarkReading https://t.co/9qdjKs9VM6

    @OpenSpringES

    20 Nov 2024

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. Apple addressed twin flaws with an emergency patch release #Apple #CVE-2024-44308 #CVE-2024-44309 https://t.co/rv7QSCsT4P

    @pravin_karthik

    20 Nov 2024

    39 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. 🚨Upozorňujeme na dvě aktivně zneužívané zero-day zranitelnosti v produktech Apple. CVE-2024-44308: Zranitelnost v JavaScriptCore dovolí útočníkovi spustit škodlivý kód skrze škodlivý obsah na webové stránce. CVE-2024-44309: Zranitelnost ve WebKit může vést k XSS útokům během… h

    @GOVCERT_CZ

    20 Nov 2024

    1565 Impressions

    3 Retweets

    4 Likes

    0 Bookmarks

    0 Replies

    1 Quote

  27. Apple рассказала, какие уязвимости исправила в iOS/iPadOS 18.1.1, iOS/iPadOS 17.7.2, а также macOS Sequoia 15.1.1 В опубликованном документе Поддержки указаны две уязвимости, которые были закрыты в обновлениях: JavaScript Core и WebKit (CVE-2024-44308 и CVE-2024-44309). https://

    @aaplpro

    20 Nov 2024

    674 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  28. اپل دو آسیب ‌پذیری روز صفر CVE-2024-44308 و CVE-2024-44309 را پچ کرد https://t.co/awvBRkbq4I

    @vulnerbyte

    20 Nov 2024

    36 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  29. 🤔webkit security fixes: CVE-2024-44308 https://t.co/Sw753CtrL8 and CVE-2024-44309: https://t.co/cAtBcEHEtR

    @ntfargo

    20 Nov 2024

    89 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. 🚨Aggiorna subito! Apple rilascia iOS 18.1.1 e iPadOS 18.1.1 ⚠️Risolte 2 vulnerabilità zero day - CVE-2024-44308 - CVE-2024-44309 https://t.co/rrxqXZavhv https://t.co/yXBZjtI9Nq https://t.co/ooOquukG1J

    @techworldaleant

    20 Nov 2024

    207 Impressions

    0 Retweets

    4 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  31. Apple releases urgent updates for macOS & iOS to fix 2 zero-day vulnerabilities: 🔹 CVE-2024-44308: Code execution 🔹 CVE-2024-44309: XSS ⚡ Update your devices now! Read more- https://t.co/clgb7vfNTE #Apple #CyberSecurity #ZeroDay

    @redfoxsec

    20 Nov 2024

    28 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  32. Apple fixes two zero-days used in attacks on Intel-based Macs: https://t.co/HAZgvBNDJD Apple released security updates addressing two zero-day vulnerabilities exploited in attacks on Intel-based Macs. The flaws, CVE-2024-44308 in JavaScriptCore and CVE-2024-44309 in WebKit,… htt

    @securityRSS

    20 Nov 2024

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  33. CRITICAL VULNERABILITIES Apple - About the security content of visionOS 2.1.1 URL: https://t.co/egqygoHgsJ Classification: Critical, Solution: Official Fix, Exploit Maturity: Unproven, CVSSv3.1: None CVEs: CVE-2024-44308, CVE-2024-44309 #apple #securety

    @CharyyevPerman

    20 Nov 2024

    68 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. 🔨アップルが2件のゼロデイ脆弱性に対処:CVE-2024-44308、CVE-2024-44309 〜サイバーアラート 11月20日〜 https://t.co/Lgw09sHuCv #セキュリティ #インテリジェンス #OSINT

    @MachinaRecord

    20 Nov 2024

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  35. macOSにゼロデイ攻撃あり。Apple公式確認済み。修正が配信されている。GoogleのTAG(脅威分析グループ)からの報告。CVE-2024-44308は、JavaScriptCoreにおいて細工された悪性Webコンテンツの閲覧時に任意のコードが実行される問題。CVE-2024-44309はWebKitでのXSS。 https://t.co/p2TPFgLEXl

    @__kokumoto

    19 Nov 2024

    1833 Impressions

    6 Retweets

    21 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  36. 📣 EMERGENCY UPDATES 📣 Apple pushed additional updates for 2 zero-days that may have been actively exploited. 🐛 CVE-2024-44308 (JavaScriptCore) additional patches, 🐛 CVE-2024-44309 (WebKit) additional patches: - Safari 18.1.1

    @ApplSec

    19 Nov 2024

    278 Impressions

    1 Retweet

    5 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  37. macOS Sequoia 15.1.1 / iPadOS 18.1.1 にアップデート完了。 Intel ベースの Mac システムで積極的に悪用されている可能性があるゼロデイ脆弱性 CVE-2024-44308、CVE-2024-44309 に対処との事。

    @macmacintosh

    19 Nov 2024

    215 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  38. Apple Confirms Zero-Day Attacks Hitting Macs - (CVE-2024-44308, CVE-2024-44309) -> https://t.co/R1WcxzjRz9

    @SecurityWeek

    19 Nov 2024

    8930 Impressions

    57 Retweets

    87 Likes

    24 Bookmarks

    0 Replies

    3 Quotes

  39. 📣 EMERGENCY UPDATES 📣 Apple pushed additional updates for 2 zero-days that may have been actively exploited. 🐛 CVE-2024-44308 (JavaScriptCore) additional patches, 🐛 CVE-2024-44309 (WebKit) additional patches: - visionOS 2.1.1

    @ApplSec

    19 Nov 2024

    313 Impressions

    3 Retweets

    7 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  40. 📣 EMERGENCY UPDATES 📣 Apple pushed updates for 2 new zero-days that may have been actively exploited. 🐛 CVE-2024-44308 (JavaScriptCore), 🐛 CVE-2024-44309 (WebKit): - iOS and iPadOS 17.7.2 - iOS and iPadOS 18.1.1 - macOS Sequoia 15.1.1

    @ApplSec

    19 Nov 2024

    603 Impressions

    1 Retweet

    7 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

References