CVE-2024-54467: 
Apple Safari vulnerability analysis and mitigation

A cookie management issue was discovered in Apple's WebKit browser engine that affects multiple Apple operating systems and Safari browser. The vulnerability (CVE-2024-54467) was fixed in watchOS 11, macOS Sequoia 15, Safari 18, visionOS 2, iOS 18, iPadOS 18, and tvOS 18, released on September 16, 2024. The vulnerability was discovered by Narendra Bhati, Manager of Cyber Security at Suma Soft Pvt. Ltd, Pune (India) (Apple Support).

The vulnerability is a cookie management issue in WebKit that could allow cross-origin data exfiltration. The issue was addressed with improved state management and is tracked in WebKit Bugzilla under ID 287874. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, indicating it requires user interaction but can lead to high confidentiality impact (NVD).

When exploited, this vulnerability allows malicious websites to exfiltrate data cross-origin, potentially leading to unauthorized access to sensitive information from other web origins (Apple Support, Apple Support).

Apple has addressed this vulnerability by implementing improved state management in WebKit. Users should update to watchOS 11, macOS Sequoia 15, Safari 18, visionOS 2, iOS 18 and iPadOS 18, or tvOS 18 to protect against this vulnerability (Apple Support).