CVE-2024-44309: 
Apple Safari vulnerability analysis and mitigation

CVE-2024-44309 is a cross-site scripting (XSS) vulnerability discovered in Apple's WebKit engine, affecting multiple Apple products. The vulnerability stems from a cookie management issue that was identified and disclosed on November 19, 2024. The affected systems include Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, macOS Sequoia 15.1.1, iOS 18.1.1 and iPadOS 18.1.1, and visionOS 2.1.1. The vulnerability was discovered by Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group (Apple Support).

The vulnerability is classified as a cookie management issue in WebKit that could lead to cross-site scripting attacks. The issue was addressed with improved state management. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. CISA's ADP assessment assigned a slightly different score of 6.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L (NVD).

When exploited, this vulnerability allows attackers to perform cross-site scripting attacks through maliciously crafted web content. The vulnerability has been confirmed to be actively exploited on Intel-based Mac systems, making it a zero-day vulnerability at the time of discovery (Apple Support, NVD).

Apple has released security updates to address this vulnerability across multiple platforms. Users should update to Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, macOS Sequoia 15.1.1, iOS 18.1.1 and iPadOS 18.1.1, or visionOS 2.1.1 depending on their device. CISA requires federal agencies to apply vendor patches by December 12, 2024 (Apple Support, NVD).