SB2024012308 - Multiple vulnerabilities in Apple Safari

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024012308

SB2024012308 - Multiple vulnerabilities in Apple Safari

Published: January 23, 2024 Updated: April 17, 2026

Security Bulletin ID SB2024012308
CSH Severity
Critical
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 20% High 40% Medium 20% Low 20%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2024-23211)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by Safari, which exposes user's private browsing activity in Settings. A local user can gain unauthorized access to sensitive information.


2) Buffer overflow (CVE-ID: CVE-2024-23206)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted web page, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


3) Buffer overflow (CVE-ID: CVE-2024-23213)

CWE-ID: CWE-119 - Memory corruption

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim to visit a specially crafted web page, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


4) Type confusion (CVE-ID: CVE-2024-23222)

CWE-ID: CWE-843 - Type confusion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error when processing HTML content. A remote attacker can trick the victim to open a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note, the vulnerability is being actively exploited in the wild.


5) Security features bypass (CVE-ID: CVE-2024-23271)

CWE-ID: CWE-254 - Security Features

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to a logic error in WebKit, which can lead to unexpected cross-origin behavior. A remote attacker can trick the victim to visit a specially crafted website and bypass implemented security restrictions.


Remediation

Install update from vendor's website.

References