CVE-2024-44187

MEDIUM Year: 2024
CVSS v3 Score
6.5
Medium
Weakness Type
CWE-346
View all →

Vulnerability Description

A cross-origin issue existed with "iframe" elements. This was addressed with improved tracking of security origins. This issue is fixed in Safari 18, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, tvOS 18. A malicious website may exfiltrate data cross-origin.

Related Vulnerabilities

CVE-2018-12402

MEDIUM
CVSS:6.5(Medium)

The internal WebBrowserPersist code does not use correct origin context for a resource being saved. This manifests when sub-resources are loaded as part of "Save Page As..." functionality. For example...

CWE-3462018

CVE-2018-16072

MEDIUM
CVSS:6.5(Medium)

A missing origin check related to HLS manifests in Blink in Google Chrome prior to 69.0.3497.81 allowed a remote attacker to bypass same origin policy via a crafted HTML page.

CWE-3462018

CVE-2018-18494

MEDIUM
CVSS:6.5(Medium)

A same-origin policy violation allowing the theft of cross-origin URL entries when using the Javascript location property to cause a redirection to another site using performance.getEntries(). This is...

CWE-3462018

CVE-2018-18499

MEDIUM
CVSS:6.5(Medium)

A same-origin policy violation allowing the theft of cross-origin URL entries when using a meta http-equiv="refresh" on a page to cause a redirection to another site using performance.getEntries(). Th...

CWE-3462018

CVE-2019-13664

MEDIUM
CVSS:6.5(Medium)

Insufficient policy enforcement in Blink in Google Chrome prior to 77.0.3865.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.

CWE-3462019

CVE-2019-13740

MEDIUM
CVSS:6.5(Medium)

Incorrect security UI in sharing in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to perform domain spoofing via a crafted HTML page.

CWE-3462019