CVE-2024-44206

An issue in the handling of URL protocols was addressed with improved logic. This issue is fixed in tvOS 17.6, visionOS 1.3, Safari 17.6, watchOS 10.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. A user may be able to bypass some web content restrictions.

CVSS v3 9.3 CRITICAL

9.3^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://support.apple.com/en-us/120909	Release Notes Vendor Advisory
https://support.apple.com/en-us/120911	Release Notes Vendor Advisory
https://support.apple.com/en-us/120913	Release Notes Vendor Advisory
https://support.apple.com/en-us/120914	Release Notes Vendor Advisory
https://support.apple.com/en-us/120915	Release Notes Vendor Advisory
https://support.apple.com/en-us/120916	Release Notes Vendor Advisory
http://seclists.org/fulldisclosure/2024/Nov/6

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apple:safari::::::::
	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:tvos::::::::
	cpe:2.3:o:apple:visionos::::::::

History

21 Nov 2024, 21:15

Type	Values Removed	Values Added
References		() http://seclists.org/fulldisclosure/2024/Nov/6 -

19 Nov 2024, 13:47

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~5.4~~	v2 : unknown v3 : 9.3

29 Oct 2024, 15:31

Type	Values Removed	Values Added
First Time		Apple ipados Apple safari Apple visionos Apple Apple tvos Apple macos Apple iphone Os
CPE		cpe:2.3:o:apple:ipados:::::::: cpe:2.3:o:apple:macos:::::::: cpe:2.3:o:apple:iphone_os:::::::: cpe:2.3:a:apple:safari:::::::: cpe:2.3:o:apple:tvos:::::::: cpe:2.3:o:apple:visionos::::::::
References	~~() https://support.apple.com/en-us/120909 -~~	() https://support.apple.com/en-us/120909 - Release Notes, Vendor Advisory
References	~~() https://support.apple.com/en-us/120911 -~~	() https://support.apple.com/en-us/120911 - Release Notes, Vendor Advisory
References	~~() https://support.apple.com/en-us/120913 -~~	() https://support.apple.com/en-us/120913 - Release Notes, Vendor Advisory
References	~~() https://support.apple.com/en-us/120914 -~~	() https://support.apple.com/en-us/120914 - Release Notes, Vendor Advisory
References	~~() https://support.apple.com/en-us/120915 -~~	() https://support.apple.com/en-us/120915 - Release Notes, Vendor Advisory
References	~~() https://support.apple.com/en-us/120916 -~~	() https://support.apple.com/en-us/120916 - Release Notes, Vendor Advisory
CWE		NVD-CWE-noinfo
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4

25 Oct 2024, 12:56

Type	Values Removed	Values Added
Summary		(es) Se solucionó un problema en el manejo de protocolos URL con una lógica mejorada. Este problema se solucionó en tvOS 17.6, visionOS 1.3, Safari 17.6, watchOS 10.6, iOS 17.6 y iPadOS 17.6, macOS Sonoma 14.6. Es posible que los usuarios puedan eludir algunas restricciones de contenido web.

24 Oct 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-24 17:15

Updated : 2024-11-21 21:15

NVD link : CVE-2024-44206

Mitre link : CVE-2024-44206

CVE.ORG link : CVE-2024-44206

JSON object : View

Products Affected

apple

visionos
iphone_os
safari
tvos
macos
ipados

CWE

NVD-CWE-noinfo

9.3 /10