CVE-2023-28204
MEDIUM KEVSafari < 16.5 - Out-of-bounds Read via Web Content Processing
Title source: llmExploitation Summary
CVE-2023-28204 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 22, 2023.
Description
An out-of-bounds read was addressed with improved input validation. This issue is fixed in watchOS 9.5, tvOS 16.5, macOS Ventura 13.4, iOS 15.7.6 and iPadOS 15.7.6, Safari 16.5, iOS 16.5 and iPadOS 16.5. Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been actively exploited.
References (8)
Core 8
Core References
Third Party Advisory
https://security.gentoo.org/glsa/202401-04
Release Notes, Vendor Advisory
https://support.apple.com/en-us/HT213757
Release Notes, Vendor Advisory
https://support.apple.com/en-us/HT213758
Release Notes, Vendor Advisory
https://support.apple.com/en-us/HT213761
Release Notes, Vendor Advisory
https://support.apple.com/en-us/HT213762
Release Notes, Vendor Advisory
https://support.apple.com/en-us/HT213764
Release Notes, Vendor Advisory
https://support.apple.com/en-us/HT213765
US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28204
Scores
CVSS v3
6.5
EPSS
0.0008
EPSS Percentile
23.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
active
Automatable
no
Technical Impact
partial
Details
CISA KEV
2023-05-22
VulnCheck KEV
2023-05-01
InTheWild.io
2023-05-01
ENISA EUVD
EUVD-2023-31912
CWE
CWE-125
Status
published
Products (7)
apple/ipados
< 15.7.6
apple/iphone_os
< 15.7.6
apple/macos
13.0 - 13.4
apple/safari
< 16.5
apple/tvos
< 16.5
apple/watchos
< 9.5
webkitgtk/webkitgtk\+
< 2.42.3
Published
Jun 23, 2023
KEV Added
May 22, 2023
Tracked Since
Feb 18, 2026