SpirityCVE

CVE-2024-40785 - webkitgtk: webkit2gtk: Processing maliciously crafted web content may lead to a cross site scripting attack

This issue was addressed with improved checks. This issue is fixed in Safari 17.6, iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6, tvOS 17.6, visionOS 1.3, watchOS 10.6. Processing maliciously crafted web content may lead to a cross site scripting attack.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Apple	Ipados Iphone Os Macos Safari Tvos Visionos Watchos

Configuration 1 [-]

OR	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:iphone_os::::::::

Configuration 2 [-]

OR	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:ipados::::::::

Configuration 3 [-]

cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*

Configuration 4 [-]

cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*

Configuration 5 [-]

cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*

Configuration 6 [-]

cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*

Configuration 7 [-]

cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.spirityenterprise.com/managed-detection-response
http://seclists.org/fulldisclosure/2024/Jul/15
http://seclists.org/fulldisclosure/2024/Jul/16
http://seclists.org/fulldisclosure/2024/Jul/17
http://seclists.org/fulldisclosure/2024/Jul/18
http://seclists.org/fulldisclosure/2024/Jul/21
http://seclists.org/fulldisclosure/2024/Jul/22
http://seclists.org/fulldisclosure/2024/Jul/23
https://lists.debian.org/debian-lts-announce/2024/09/msg00006.html
https://nvd.nist.gov/vuln/detail/CVE-2024-40785
https://support.apple.com/en-us/120908
https://support.apple.com/en-us/120909
https://support.apple.com/en-us/120911
https://support.apple.com/en-us/120913
https://support.apple.com/en-us/120914
https://support.apple.com/en-us/120915
https://support.apple.com/en-us/120916
https://support.apple.com/en-us/HT214116
https://support.apple.com/en-us/HT214117
https://support.apple.com/en-us/HT214119
https://support.apple.com/en-us/HT214121
https://support.apple.com/en-us/HT214122
https://support.apple.com/en-us/HT214123
https://support.apple.com/en-us/HT214124
https://support.apple.com/kb/HT214116
https://support.apple.com/kb/HT214117
https://support.apple.com/kb/HT214119
https://support.apple.com/kb/HT214122
https://support.apple.com/kb/HT214124
https://www.cve.org/CVERecord?id=CVE-2024-40785

History

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description	This issue was addressed with improved checks. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, Safari 17.6, iOS 17.6 and iPadOS 17.6, watchOS 10.6, tvOS 17.6, visionOS 1.3, macOS Sonoma 14.6. Processing maliciously crafted web content may lead to a cross site scripting attack.	This issue was addressed with improved checks. This issue is fixed in Safari 17.6, iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6, tvOS 17.6, visionOS 1.3, watchOS 10.6. Processing maliciously crafted web content may lead to a cross site scripting attack.
References		https://support.apple.com/en-us/120908 https://support.apple.com/en-us/120909 https://support.apple.com/en-us/120911 https://support.apple.com/en-us/120913 https://support.apple.com/en-us/120914 https://support.apple.com/en-us/120915 https://support.apple.com/en-us/120916

Tue, 04 Nov 2025 18:30:00 +0000

Type	Values Removed	Values Added
References		https://support.apple.com/kb/HT214116 https://support.apple.com/kb/HT214117 https://support.apple.com/kb/HT214119 https://support.apple.com/kb/HT214122 https://support.apple.com/kb/HT214124

Tue, 04 Nov 2025 17:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2024/09/msg00006.html

Thu, 13 Feb 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 15 Aug 2024 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple ipados Apple iphone Os Apple macos Apple safari Apple tvos Apple visionos Apple watchos
Weaknesses		CWE-79
CPEs		cpe:2.3:a:apple:safari:::::::: cpe:2.3:o:apple:ipados:::::::: cpe:2.3:o:apple:iphone_os:::::::: cpe:2.3:o:apple:macos:::::::: cpe:2.3:o:apple:tvos:::::::: cpe:2.3:o:apple:visionos:::::::: cpe:2.3:o:apple:watchos::::::::
Vendors & Products		Apple Apple ipados Apple iphone Os Apple macos Apple safari Apple tvos Apple visionos Apple watchos
Metrics	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: apple

Published: 2024-07-29T22:16:56.242Z

Updated: 2026-04-02T18:18:06.904Z

Reserved: 2024-07-10T17:11:04.689Z

Link: CVE-2024-40785

Vulnrichment

Updated: 2025-11-04T17:23:28.318Z

NVD

Status : Modified

Published: 2024-07-29T23:15:11.997

Modified: 2026-04-02T19:17:43.467

Link: CVE-2024-40785

Redhat

Severity : Important

Publid Date: 2024-07-31T00:00:00Z

Links: CVE-2024-40785 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object