CVE-2024-44155
MEDIUMSafari < 18 - Sandbox Policy Bypass via Custom URL Scheme Handling
Title source: llmDescription
A custom URL scheme handling issue was addressed with improved input validation. This issue is fixed in Safari 18, iOS 17.7.1 and iPadOS 17.7.1, iOS 18 and iPadOS 18, macOS Sequoia 15, watchOS 11. Maliciously crafted web content may violate iframe sandboxing policy.
References (6)
Core 6
Core References
Release Notes, Vendor Advisory
https://support.apple.com/en-us/121238
Release Notes, Vendor Advisory
https://support.apple.com/en-us/121240
Release Notes, Vendor Advisory
https://support.apple.com/en-us/121241
Release Notes, Vendor Advisory
https://support.apple.com/en-us/121250
Release Notes, Vendor Advisory
https://support.apple.com/en-us/121567
Mailing List
http://seclists.org/fulldisclosure/2024/Oct/10
Scores
CVSS v3
6.5
EPSS
0.0013
EPSS Percentile
32.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
Status
published
Products (10)
Apple/iOS and iPadOS
< 17.7.1
Apple/iOS and iPadOS
< 18
apple/ipados
< 17.7.1
apple/iphone_os
< 17.7.1
Apple/macOS
< 15
apple/macos
< 15.0
Apple/Safari
< 18
apple/safari
< 18.0
Apple/watchOS
< 11
apple/watchos
< 11.0
Published
Oct 28, 2024
Tracked Since
Feb 18, 2026