CVE-2024-40817 : The issue was addressed with improved UI handling. This issue is fixed in macOS

The issue was addressed with improved UI handling. This issue is fixed in macOS Sonoma 14.6, Safari 17.6, macOS Monterey 12.7.6, macOS Ventura 13.6.8. Visiting a website that frames malicious content may lead to UI spoofing.

Published 2024-07-29 22:16:51

Updated 2025-03-14 16:15:34

Source Apple Inc.

View at NVD, CVE.org

Products affected by CVE-2024-40817

Apple » Safari
Versions before (<) 17.6
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
Matching versions
Apple » Macos
Versions from including (>=) 14.0 and before (<) 14.6
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Matching versions
Apple » Macos
Versions from including (>=) 13.0 and before (<) 13.6.8
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Matching versions
Apple » Macos
Versions from including (>=) 12.0 and before (<) 12.7.6
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2024-40817

EPSS FAQ

0.26%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 49 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-40817

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-03-14
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None
6.1	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	NIST	2024-08-15
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2024-40817

CWE-1021 Improper Restriction of Rendered UI Layers or Frames

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2024-40817

http://seclists.org/fulldisclosure/2024/Jul/15

Full Disclosure: APPLE-SA-07-29-2024-1 Safari 17.6
Mailing List;Third Party Advisory

CVEs referencing this url
https://support.apple.com/en-us/HT214119

About the security content of macOS Sonoma 14.6 - Apple Support
Release Notes;Vendor Advisory

CVEs referencing this url
https://support.apple.com/en-us/HT214120

About the security content of macOS Ventura 13.6.8 - Apple Support
Release Notes;Vendor Advisory

CVEs referencing this url
http://seclists.org/fulldisclosure/2024/Jul/20

Full Disclosure: APPLE-SA-07-29-2024-6 macOS Monterey 12.7.6
Mailing List;Third Party Advisory

CVEs referencing this url
https://support.apple.com/en-us/HT214118

About the security content of macOS Monterey 12.7.6 - Apple Support
Release Notes;Vendor Advisory

CVEs referencing this url
https://support.apple.com/kb/HT214121

About the security content of Safari 17.6 - Apple Support
Release Notes;Vendor Advisory

CVEs referencing this url
https://support.apple.com/en-us/HT214121

About the security content of Safari 17.6 - Apple Support
Release Notes;Vendor Advisory

CVEs referencing this url
http://seclists.org/fulldisclosure/2024/Jul/19

Full Disclosure: APPLE-SA-07-29-2024-5 macOS Ventura 13.6.8
Mailing List;Third Party Advisory

CVEs referencing this url
http://seclists.org/fulldisclosure/2024/Jul/18

Full Disclosure: APPLE-SA-07-29-2024-4 macOS Sonoma 14.6
Mailing List;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2024-40817

Products affected by CVE-2024-40817

Exploit prediction scoring system (EPSS) score for CVE-2024-40817

CVSS scores for CVE-2024-40817

CWE ids for CVE-2024-40817

References for CVE-2024-40817