Analysis Summary

CVE-2024-44308 CVSS:8.8

Apple Safari could allow a remote attacker to execute arbitrary code on the system, caused by an error in the JavaScriptCore component. By persuading a victim to open specially crafted web content, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2024-44309 CVSS:6.1

Apple Safari is vulnerable to cross-site scripting, caused by a cookie management issue in the WebKit component. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Impact

• Code Execution
• Cross-Site Scripting

Indicators of Compromise

CVE

• CVE-2024-44308
• CVE-2024-44309

Affected Vendors

Affected Products

• Apple Safari 18.1.0
• Apple visionOS 2.1.0
• Apple macOS Sequoia 15.1.0
• Apple iOS 17.7.1
• Apple iPadOS 17.7.1
• Apple iPadOS 18.1.0
• Apple iOS 18.1.0

Remediation

Refer to Apple Security Advisory for patch, upgrade or suggested workaround information.

Apple Security Advisory