CVE-2024-44206

An issue in the handling of URL protocols was addressed with improved logic. This issue is fixed in Safari 17.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6, tvOS 17.6, visionOS 1.3, watchOS 10.6. A user may be able to bypass some web content restrictions.

CVSS v3 9.3 CRITICAL

9.3^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://support.apple.com/en-us/120909	Release Notes Vendor Advisory
https://support.apple.com/en-us/120911	Release Notes Vendor Advisory
https://support.apple.com/en-us/120913	Release Notes Vendor Advisory
https://support.apple.com/en-us/120914	Release Notes Vendor Advisory
https://support.apple.com/en-us/120915	Release Notes Vendor Advisory
https://support.apple.com/en-us/120916	Release Notes Vendor Advisory
http://seclists.org/fulldisclosure/2024/Nov/6

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apple:safari::::::::
	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:tvos::::::::
	cpe:2.3:o:apple:visionos::::::::

History

02 Apr 2026, 19:18

Type	Values Removed	Values Added
Summary	(en) An issue in the handling of URL protocols was addressed with improved logic. This issue is fixed in tvOS 17.6, visionOS 1.3, Safari 17.6, watchOS 10.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. A user may be able to bypass some web content restrictions.	(en) An issue in the handling of URL protocols was addressed with improved logic. This issue is fixed in Safari 17.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6, tvOS 17.6, visionOS 1.3, watchOS 10.6. A user may be able to bypass some web content restrictions.

21 Nov 2024, 21:15

Type	Values Removed	Values Added
References		() http://seclists.org/fulldisclosure/2024/Nov/6 -

19 Nov 2024, 13:47

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~5.4~~	v2 : unknown v3 : 9.3

29 Oct 2024, 15:31

Type	Values Removed	Values Added
CWE		NVD-CWE-noinfo
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
First Time		Apple iphone Os Apple visionos Apple safari Apple Apple tvos Apple macos Apple ipados
CPE		cpe:2.3:o:apple:tvos:::::::: cpe:2.3:o:apple:iphone_os:::::::: cpe:2.3:o:apple:visionos:::::::: cpe:2.3:o:apple:ipados:::::::: cpe:2.3:a:apple:safari:::::::: cpe:2.3:o:apple:macos::::::::
References	~~() https://support.apple.com/en-us/120909 -~~	() https://support.apple.com/en-us/120909 - Release Notes, Vendor Advisory
References	~~() https://support.apple.com/en-us/120911 -~~	() https://support.apple.com/en-us/120911 - Release Notes, Vendor Advisory
References	~~() https://support.apple.com/en-us/120913 -~~	() https://support.apple.com/en-us/120913 - Release Notes, Vendor Advisory
References	~~() https://support.apple.com/en-us/120914 -~~	() https://support.apple.com/en-us/120914 - Release Notes, Vendor Advisory
References	~~() https://support.apple.com/en-us/120915 -~~	() https://support.apple.com/en-us/120915 - Release Notes, Vendor Advisory
References	~~() https://support.apple.com/en-us/120916 -~~	() https://support.apple.com/en-us/120916 - Release Notes, Vendor Advisory

25 Oct 2024, 12:56

Type	Values Removed	Values Added
Summary		(es) Se solucionó un problema en el manejo de protocolos URL con una lógica mejorada. Este problema se solucionó en tvOS 17.6, visionOS 1.3, Safari 17.6, watchOS 10.6, iOS 17.6 y iPadOS 17.6, macOS Sonoma 14.6. Es posible que los usuarios puedan eludir algunas restricciones de contenido web.

24 Oct 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-24 17:15

Updated : 2026-04-02 19:18

NVD link : CVE-2024-44206

Mitre link : CVE-2024-44206

CVE.ORG link : CVE-2024-44206

JSON object : View

Products Affected

apple

ipados
tvos
safari
visionos
macos
iphone_os

CWE

NVD-CWE-noinfo

9.3 /10