CVE-2024-23204
HIGHwatchOS < 10.3 - Unauthorized Sensitive Data Access via Shortcut Actions
Title source: llmDescription
The issue was addressed with additional permissions checks. This issue is fixed in iOS 16.7.6 and iPadOS 16.7.6, iOS 17.3 and iPadOS 17.3, macOS Monterey 12.7.4, macOS Sonoma 14.3, macOS Ventura 13.6.5, watchOS 10.3. A shortcut may be able to use sensitive data with certain actions without prompting the user.
References (18)
Core 18
Core References
Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/33
Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/36
Third Party Advisory
http://seclists.org/fulldisclosure/2024/Jan/39
Release Notes, Vendor Advisory
https://support.apple.com/en-us/HT214059
Release Notes, Vendor Advisory
https://support.apple.com/en-us/HT214060
Release Notes, Vendor Advisory
https://support.apple.com/en-us/HT214061
Mailing List
http://seclists.org/fulldisclosure/2024/Mar/22
Mailing List
http://seclists.org/fulldisclosure/2024/Mar/23
Vendor Advisory
https://support.apple.com/kb/HT214082
Vendor Advisory
https://support.apple.com/kb/HT214083
Vendor Advisory
https://support.apple.com/kb/HT214085
Vendor Advisory
https://support.apple.com/kb/HT214061
Scores
CVSS v3
7.5
EPSS
0.0019
EPSS Percentile
40.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
Status
published
Products (10)
Apple/iOS and iPadOS
< 16.7.6
Apple/iOS and iPadOS
< 17.3
apple/ipados
17.0 - 17.3
apple/iphone_os
17.0 - 17.3
Apple/macOS
< 12.7.4
Apple/macOS
< 13.6.5
apple/macos
< 14.3
Apple/macOS
< 14.3
apple/watchos
< 10.3
Apple/watchOS
< 10.3
Published
Jan 23, 2024
Tracked Since
Feb 18, 2026