CVE-2024-44273

Improper Link Resolution Before File Access ('Link Following') (CWE-59)

Published: Oct 28, 2024

010
CVSS 5.5EPSS 0.05%Medium
CVE info copied to clipboard

This issue was addressed with improved handling of symlinks. This issue is fixed in iOS 18.1 and iPadOS 18.1, visionOS 2.1, macOS Sonoma 14.7.1, watchOS 11.1, tvOS 18.1. A malicious app may be able to access private information.

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (380785)

Oct 28, 2024 at 7:53 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (380784)

Oct 28, 2024 at 7:53 AM
Vendor Advisory

Apple released a security advisory (121564).

Oct 28, 2024 at 4:00 PM
Vendor Advisory

Apple released a security advisory (121565).

Oct 28, 2024 at 4:00 PM
Vendor Advisory

Apple released a security advisory (121570).

Oct 28, 2024 at 4:00 PM
Vendor Advisory

Apple released a security advisory (121569).

Oct 28, 2024 at 4:00 PM
Vendor Advisory

Apple released a security advisory (121566).

Oct 28, 2024 at 4:00 PM
Vendor Advisory

Apple released a security advisory (121563).

Oct 28, 2024 at 4:01 PM
First Article

Feedly found the first article mentioning CVE-2024-44273. See article

Oct 28, 2024 at 4:04 PM / Main stream | The Taggart Institute Intel Center
Static CVE Timeline Graph

Affected Systems

Apple/macos
+null more

Patches

Apple
+null more

Links to Mitre Att&cks

T1547.009: Shortcut Modification
+null more

Attack Patterns

CAPEC-132: Symlink Attack
+null more

Vendor Advisory

About the security content of macOS Sonoma 14.7.1 - Apple Support
Description: An information disclosure issue was addressed with improved private data redaction for log entries. Description: An information disclosure issue was addressed with improved private data redaction for log entries.

References

About the security content of macOS Sonoma 14.7.1 - Apple Support
Description: An information disclosure issue was addressed with improved private data redaction for log entries. Description: An information disclosure issue was addressed with improved private data redaction for log entries.
About the security content of macOS Sequoia 15.1 - Apple Support
Impact: Impact: A malicious app with root privileges may be able to modify the contents of system files Impact: Impact: A malicious app may be able to access private information

News

US-CERT Vulnerability Summary for the Week of October 28, 2024
abdullahirfan — documentpress Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Abdullah Irfan DocumentPress allows Reflected XSS.This issue affects DocumentPress: from n/a through 2.1. 2024-10-29 6.1 CVE-2024-49656 [email protected] abdullahirfan — whitelist Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Abdullah Irfan Whitelist allows Reflected XSS.This issue affects Whitelist: from n/a through 3.5. 2024-10-29 6.1 CVE-2024-49643 [email protected] AffiliateX–AffiliateX Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in AffiliateX allows Stored XSS.This issue affects AffiliateX: from n/a through 1.2.9. 2024-10-29 6.5 CVE-2024-49692 [email protected] Ahmed Kaludi, Mohammed Kaludi–AMP for WP Missing Authorization vulnerability in Ahmed Kaludi, Mohammed Kaludi AMP for WP allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AMP for WP: from n/a through 1.0.96.1. 2024-11-01 6.3 CVE-2024-43146 [email protected] Alex Volkov–WP Accessibility Helper (WAH) Missing Authorization vulnerability in Alex Volkov WP Accessibility Helper (WAH) allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP Accessibility Helper (WAH): from n/a through 0.6.2.9.
The Cybersecurity and Infrastructure Security Agency (CISA) Reports Urgent Security Updates for Apple Products
These Apple vulnerabilities highlight the ongoing need for users to remain vigilant and ensure their devices are updated to protect against potential threats. The Cybersecurity and Infrastructure Security Agency (CISA) has recently alerted users to multiple vulnerabilities in Apple products following the release of vital security updates on October 28, 2024.
Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
An attacker with physical access to a locked device may be able to view sensitive user information. A malicious app with root privileges may be able to modify the contents of system files.
Update Your iPhone Now: iOS 18.1 Includes More Than 25 Security Fixes - MacRumors
Impact: An attacker with physical access to a locked device may be able to view sensitive user information Impact: A malicious app may be able to access private information
Apple Security Advisory 10-28-2024-7
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-10-28-2024-7 tvOS 18.1tvOS 18.1 addresses the
See 28 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI