CVE-2024-23203
HIGHiPadOS 17.0-17.3 - Unauthorized Sensitive Data Access via Shortcut Actions
Title source: llmDescription
The issue was addressed with additional permissions checks. This issue is fixed in iOS 16.7.6 and iPadOS 16.7.6, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, macOS Ventura 13.6.5. A shortcut may be able to use sensitive data with certain actions without prompting the user.
References (12)
Core 12
Core References
Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/33
Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/36
Release Notes, Vendor Advisory
https://support.apple.com/en-us/HT214059
Release Notes, Vendor Advisory
https://support.apple.com/en-us/HT214061
Mailing List
http://seclists.org/fulldisclosure/2024/Mar/22
Vendor Advisory
https://support.apple.com/kb/HT214082
Vendor Advisory
https://support.apple.com/kb/HT214085
Vendor Advisory
https://support.apple.com/kb/HT214061
Scores
CVSS v3
7.5
EPSS
0.0018
EPSS Percentile
38.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
Status
published
Products (7)
Apple/iOS and iPadOS
< 16.7.6
Apple/iOS and iPadOS
< 17.3
apple/ipados
17.0 - 17.3
apple/iphone_os
17.0 - 17.3
Apple/macOS
< 13.6.5
apple/macos
< 14.3
Apple/macOS
< 14.3
Published
Jan 23, 2024
Tracked Since
Feb 18, 2026