{"api_version":"1","generated_at":"2026-04-22T16:04:58+00:00","cve":"CVE-2024-44309","urls":{"html":"https://cve.report/CVE-2024-44309","api":"https://cve.report/api/cve/CVE-2024-44309.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-44309","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-44309"},"summary":{"title":"CVE-2024-44309","description":"A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS 18.1.1, macOS Sequoia 15.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.","state":"PUBLISHED","assigner":"apple","published_at":"2024-11-20 00:15:17","updated_at":"2026-04-02 19:18:39"},"problem_types":["CWE-79","Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.","CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"6.1","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"ADP","type":"DECLARED","score":"6.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":6.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"6.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"}}],"references":[{"url":"https://support.apple.com/en-us/121756","name":"https://support.apple.com/en-us/121756","refsource":"product-security@apple.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-44309","name":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-44309","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["US Government Resource"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"http://seclists.org/fulldisclosure/2024/Nov/16","name":"http://seclists.org/fulldisclosure/2024/Nov/16","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://support.apple.com/en-us/121754","name":"https://support.apple.com/en-us/121754","refsource":"product-security@apple.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://support.apple.com/en-us/121752","name":"https://support.apple.com/en-us/121752","refsource":"product-security@apple.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://support.apple.com/en-us/121753","name":"https://support.apple.com/en-us/121753","refsource":"product-security@apple.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://lists.debian.org/debian-lts-announce/2024/12/msg00003.html","name":"https://lists.debian.org/debian-lts-announce/2024/12/msg00003.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://support.apple.com/en-us/121755","name":"https://support.apple.com/en-us/121755","refsource":"product-security@apple.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-44309","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-44309","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Apple","product":"Safari","version":"affected 18.1.1 custom","platforms":[]},{"source":"CNA","vendor":"Apple","product":"iOS and iPadOS","version":"affected 17.7.2 custom","platforms":[]},{"source":"CNA","vendor":"Apple","product":"iOS and iPadOS","version":"affected 18.1.1 custom","platforms":[]},{"source":"CNA","vendor":"Apple","product":"macOS","version":"affected 15.1.1 custom","platforms":[]},{"source":"CNA","vendor":"Apple","product":"visionOS","version":"affected 2.1.1 custom","platforms":[]},{"source":"ADP","vendor":"apple","product":"safari","version":"affected 18.1 custom","platforms":[]},{"source":"ADP","vendor":"apple","product":"macos","version":"affected 15.1 custom","platforms":[]},{"source":"ADP","vendor":"apple","product":"visionos","version":"affected 2.1 custom","platforms":[]},{"source":"ADP","vendor":"apple","product":"iphone_os","version":"affected 17.7 custom","platforms":[]},{"source":"ADP","vendor":"apple","product":"iphone_os","version":"affected 18.0 18.1 custom","platforms":[]},{"source":"ADP","vendor":"apple","product":"iphone_os","version":"affected 17.7 custom","platforms":[]},{"source":"ADP","vendor":"apple","product":"iphone_os","version":"affected 18.0 18.1 custom","platforms":[]},{"source":"ADP","vendor":"apple","product":"ipad_os","version":"affected 17.7 custom","platforms":[]},{"source":"ADP","vendor":"apple","product":"ipad_os","version":"affected 18.0 18.1 custom","platforms":[]},{"source":"ADP","vendor":"apple","product":"ipad_os","version":"affected 17.7 custom","platforms":[]},{"source":"ADP","vendor":"apple","product":"ipad_os","version":"affected 18.0 18.1 custom","platforms":[]}],"timeline":[{"source":"ADP","time":"2024-11-21T00:00:00.000Z","lang":"en","value":"CVE-2024-44309 added to CISA KEV"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2024","cve_id":"44309","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"apple","cpe5":"ipados","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2024","cve_id":"44309","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apple","cpe5":"safari","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2024","cve_id":"44309","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":{"cve_year":"2024","cve_id":"44309","cve":"CVE-2024-44309","vendorProject":"Apple","product":"Multiple Products","vulnerabilityName":"Apple Multiple Products Cross-Site Scripting (XSS) Vulnerability","dateAdded":"2024-11-21","shortDescription":"Apple iOS, macOS, and other Apple products contain an unspecified vulnerability when processing maliciously crafted web content that may lead to a cross-site scripting (XSS) attack.","requiredAction":"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.","dueDate":"2024-12-12","knownRansomwareCampaignUse":"Unknown","notes":"https://support.apple.com/en-us/121752, https://support.apple.com/en-us/121753, https://support.apple.com/en-us/121754, https://support.apple.com/en-us/121755, https://support.apple.com/en-us/121756 ; https://nvd.nist.gov/vuln/detail/CVE-2024-44309","cwes":"CWE-79","catalogVersion":"2026.04.21","updated_at":"2026-04-21 13:32:18"},"epss":{"cve_year":"2024","cve_id":"44309","cve":"CVE-2024-44309","epss":"0.013090000","percentile":"0.798200000","score_date":"2026-04-21","updated_at":"2026-04-22 00:07:42"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"affected":[{"cpes":["cpe:2.3:a:apple:safari:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"safari","vendor":"apple","versions":[{"lessThan":"18.1","status":"affected","version":"0","versionType":"custom"}]},{"cpes":["cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"macos","vendor":"apple","versions":[{"lessThan":"15.1","status":"affected","version":"0","versionType":"custom"}]},{"cpes":["cpe:2.3:o:apple:visionos:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"visionos","vendor":"apple","versions":[{"lessThan":"2.1","status":"affected","version":"0","versionType":"custom"}]},{"cpes":["cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:iphone:*"],"defaultStatus":"unknown","product":"iphone_os","vendor":"apple","versions":[{"lessThan":"17.7","status":"affected","version":"0","versionType":"custom"},{"lessThan":"18.1","status":"affected","version":"18.0","versionType":"custom"}]},{"cpes":["cpe:2.3:o:apple:iphone_os:-:*:*:*:*:*:iphone:*"],"defaultStatus":"unknown","product":"iphone_os","vendor":"apple","versions":[{"lessThan":"17.7","status":"affected","version":"0","versionType":"custom"},{"lessThan":"18.1","status":"affected","version":"18.0","versionType":"custom"}]},{"cpes":["cpe:2.3:o:apple:ipad_os:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"ipad_os","vendor":"apple","versions":[{"lessThan":"17.7","status":"affected","version":"0","versionType":"custom"},{"lessThan":"18.1","status":"affected","version":"18.0","versionType":"custom"}]},{"cpes":["cpe:2.3:o:apple:ipad_os:-:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"ipad_os","vendor":"apple","versions":[{"lessThan":"17.7","status":"affected","version":"0","versionType":"custom"},{"lessThan":"18.1","status":"affected","version":"18.0","versionType":"custom"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":6.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","version":"3.1"}},{"other":{"content":{"id":"CVE-2024-44309","options":[{"Exploitation":"active"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-11-23T04:55:45.567430Z","version":"2.0.3"},"type":"ssvc"}},{"other":{"content":{"dateAdded":"2024-11-21","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-44309"},"type":"kev"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-79","description":"CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2025-10-21T22:55:35.442Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["government-resource"],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-44309"}],"timeline":[{"lang":"en","time":"2024-11-21T00:00:00.000Z","value":"CVE-2024-44309 added to CISA KEV"}],"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2025-11-03T22:13:35.289Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"https://lists.debian.org/debian-lts-announce/2024/12/msg00003.html"},{"url":"http://seclists.org/fulldisclosure/2024/Nov/16"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"Safari","vendor":"Apple","versions":[{"lessThan":"18.1.1","status":"affected","version":"0","versionType":"custom"}]},{"product":"iOS and iPadOS","vendor":"Apple","versions":[{"lessThan":"17.7.2","status":"affected","version":"0","versionType":"custom"},{"lessThan":"18.1.1","status":"affected","version":"0","versionType":"custom"}]},{"product":"macOS","vendor":"Apple","versions":[{"lessThan":"15.1.1","status":"affected","version":"0","versionType":"custom"}]},{"product":"visionOS","vendor":"Apple","versions":[{"lessThan":"2.1.1","status":"affected","version":"0","versionType":"custom"}]}],"descriptions":[{"lang":"en","value":"A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS 18.1.1, macOS Sequoia 15.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems."}],"problemTypes":[{"descriptions":[{"description":"Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.","lang":"en"}]}],"providerMetadata":{"dateUpdated":"2026-04-02T18:26:41.434Z","orgId":"286789f9-fbc2-4510-9f9a-43facdede74c","shortName":"apple"},"references":[{"url":"https://support.apple.com/en-us/121752"},{"url":"https://support.apple.com/en-us/121753"},{"url":"https://support.apple.com/en-us/121754"},{"url":"https://support.apple.com/en-us/121755"},{"url":"https://support.apple.com/en-us/121756"}]}},"cveMetadata":{"assignerOrgId":"286789f9-fbc2-4510-9f9a-43facdede74c","assignerShortName":"apple","cveId":"CVE-2024-44309","datePublished":"2024-11-19T23:43:55.493Z","dateReserved":"2024-08-20T21:45:40.801Z","dateUpdated":"2026-04-02T18:26:41.434Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-11-20 00:15:17","lastModifiedDate":"2026-04-02 19:18:39","problem_types":["CWE-79","Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.","CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L","baseScore":6.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":3.4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","matchCriteriaId":"FA6FEEC2-9F11-4643-8827-749718254FED"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*","versionEndExcluding":"18.1.1","matchCriteriaId":"5BF8CCEA-CE0F-46DF-9A7A-83A55DE97BCE"},{"vulnerable":true,"criteria":"cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*","versionEndExcluding":"17.7.2","matchCriteriaId":"AAEA98FE-8942-4B9B-B25E-AF99B5A650C3"},{"vulnerable":true,"criteria":"cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*","versionStartIncluding":"18.0","versionEndExcluding":"18.1.1","matchCriteriaId":"4CE6128B-DBDB-4811-971D-1069382437D4"},{"vulnerable":true,"criteria":"cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*","versionEndExcluding":"17.7.2","matchCriteriaId":"F4F19E10-37EA-44E1-A425-F879C39DF7A8"},{"vulnerable":true,"criteria":"cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*","versionStartIncluding":"18.0","versionEndExcluding":"18.1.1","matchCriteriaId":"786A3E4B-531F-463E-BC62-F264E562C71F"},{"vulnerable":true,"criteria":"cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*","versionStartIncluding":"15.0","versionEndExcluding":"15.1.1","matchCriteriaId":"AFC09E08-0FBA-4D99-A4B6-5562A8484BE6"},{"vulnerable":true,"criteria":"cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*","versionEndExcluding":"2.1.1","matchCriteriaId":"642BDC87-257B-4B0E-88D4-DDFC26F0723F"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"44309","Ordinal":"1","Title":"CVE-2024-44309","CVE":"CVE-2024-44309","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"44309","Ordinal":"1","NoteData":"A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS 18.1.1, macOS Sequoia 15.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.","Type":"Description","Title":"CVE-2024-44309"}]}}}