CVE-2024-44187 - Vulnerability Details

A cross-origin issue existed with "iframe" elements. This was addressed with improved tracking of security origins. This issue is fixed in Safari 18, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, tvOS 18. A malicious website may exfiltrate data cross-origin.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00119.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Apple	Ipados Iphone Os Macos Safari Tvos Visionos Watchos
Redhat	Enterprise Linux Rhel Els

Configuration 1 [-]

OR	cpe:2.3:a:apple:safari::::::::
	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:tvos::::::::
	cpe:2.3:o:apple:visionos::::::::
	cpe:2.3:o:apple:watchos::::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7 Extended Lifecycle Support
webkitgtk4-0:2.48.3-2.el7_9	cpe:/o:redhat:rhel_els:7	RHSA-2025:10364	2025-07-07T00:00:00Z
Red Hat Enterprise Linux 8
webkit2gtk3-0:2.46.3-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:9636	2024-11-14T00:00:00Z
Red Hat Enterprise Linux 9
webkit2gtk3-0:2.46.1-2.el9_4	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:8180	2024-10-16T00:00:00Z
webkit2gtk3-0:2.46.3-1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:9553	2024-11-13T00:00:00Z

No data.

Advisories

Source	ID	Title
Debian DLA	DLA-3961-1	webkit2gtk security update
Debian DSA	DSA-5792-1	webkit2gtk security update
EUVD	EUVD-2024-40936	A cross-origin issue existed with "iframe" elements. This was addressed with improved tracking of security origins. This issue is fixed in Safari 18, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, tvOS 18. A malicious website may exfiltrate data cross-origin.
Ubuntu USN	USN-7079-1	WebKitGTK vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://seclists.org/fulldisclosure/2024/Sep/32
http://seclists.org/fulldisclosure/2024/Sep/33
http://seclists.org/fulldisclosure/2024/Sep/36
http://seclists.org/fulldisclosure/2024/Sep/37
https://lists.debian.org/debian-lts-announce/2024/11/msg00019.html
https://nvd.nist.gov/vuln/detail/CVE-2024-44187
https://support.apple.com/en-us/121238
https://support.apple.com/en-us/121240
https://support.apple.com/en-us/121241
https://support.apple.com/en-us/121248
https://support.apple.com/en-us/121249
https://support.apple.com/en-us/121250
https://webkitgtk.org/security/WSA-2024-0005.html
https://www.cve.org/CVERecord?id=CVE-2024-44187

History

Tue, 04 Nov 2025 17:30:00 +0000

Type	Values Removed	Values Added
References		http://seclists.org/fulldisclosure/2024/Sep/32 http://seclists.org/fulldisclosure/2024/Sep/33 http://seclists.org/fulldisclosure/2024/Sep/36 http://seclists.org/fulldisclosure/2024/Sep/37

Mon, 03 Nov 2025 22:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2024/11/msg00019.html

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00115}`	epss `{'score': 0.00118}`

Sun, 13 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00103}`	epss `{'score': 0.00115}`

Mon, 07 Jul 2025 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Els
CPEs		cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat rhel Els

Sat, 16 Nov 2024 02:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8

Thu, 17 Oct 2024 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux

Thu, 26 Sep 2024 02:15:00 +0000

Type	Values Removed	Values Added
References		https://webkitgtk.org/security/WSA-2024-0005.html
Metrics	threat_severity `Important`	threat_severity `Moderate`

Wed, 25 Sep 2024 19:45:00 +0000

Type	Values Removed	Values Added
Title		webkitgtk: A malicious website may exfiltrate data cross-origin
References		https://nvd.nist.gov/vuln/detail/CVE-2024-44187 https://www.cve.org/CVERecord?id=CVE-2024-44187
Metrics	threat_severity `None`	threat_severity `Important`

Wed, 25 Sep 2024 13:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple ipados Apple iphone Os Apple macos Apple safari Apple tvos Apple visionos Apple watchos
Weaknesses		CWE-346
CPEs		cpe:2.3:a:apple:safari:::::::: cpe:2.3:o:apple:ipados:::::::: cpe:2.3:o:apple:iphone_os:::::::: cpe:2.3:o:apple:macos:::::::: cpe:2.3:o:apple:tvos:::::::: cpe:2.3:o:apple:visionos:::::::: cpe:2.3:o:apple:watchos::::::::
Vendors & Products		Apple Apple ipados Apple iphone Os Apple macos Apple safari Apple tvos Apple visionos Apple watchos
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}`

Tue, 17 Sep 2024 21:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 16 Sep 2024 23:30:00 +0000

Type	Values Removed	Values Added
Description		A cross-origin issue existed with "iframe" elements. This was addressed with improved tracking of security origins. This issue is fixed in Safari 18, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, tvOS 18. A malicious website may exfiltrate data cross-origin.
References		https://support.apple.com/en-us/121238 https://support.apple.com/en-us/121240 https://support.apple.com/en-us/121241 https://support.apple.com/en-us/121248 https://support.apple.com/en-us/121249 https://support.apple.com/en-us/121250

MITRE

Status: PUBLISHED

Assigner: apple

Published: 2024-09-16T23:23:16.230Z

Updated: 2025-11-04T16:15:32.974Z

Reserved: 2024-08-20T21:42:05.933Z

Link: CVE-2024-44187

Vulnrichment

Updated: 2024-09-17T13:46:45.960Z

NVD

Status : Modified

Published: 2024-09-17T00:15:52.037

Modified: 2025-11-04T17:16:13.600

Link: CVE-2024-44187

Redhat

Severity : Moderate

Publid Date: 2024-09-25T00:00:00Z

Links: CVE-2024-44187 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object