CVE-2024-23263: 
NixOS vulnerability analysis and mitigation

CVE-2024-23263 is a security vulnerability affecting multiple Apple operating systems and WebKit-based browsers. The issue was discovered as a logic vulnerability in WebKit that could allow maliciously crafted web content to prevent Content Security Policy (CSP) from being enforced. This vulnerability was fixed in tvOS 17.4, macOS Sonoma 14.4, visionOS 1.1, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, and Safari 17.4 (Apple Security).

The vulnerability is identified as a logic issue in WebKit's handling of Content Security Policy enforcement. The issue was addressed with improved validation (WebKit Bugzilla: 264811). The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, while CISA-ADP assessed it with a higher score of 8.1 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N (NVD).

When exploited, this vulnerability could allow maliciously crafted web content to bypass Content Security Policy protections. This could potentially lead to security policy violations and compromise the intended security boundaries set by CSP (WebKit Security Advisory).

The vulnerability has been patched in multiple Apple operating systems and WebKit-based browsers. Users should update to tvOS 17.4, macOS Sonoma 14.4, visionOS 1.1, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, Safari 17.4, or WebKitGTK/WPE WebKit version 2.44.0 or later (Apple Security, WebKit Security Advisory).