FKIE_CVE-2024-23245

Vulnerability from fkie_nvd - Published: 2024-03-08 02:15 - Updated: 2025-11-04 19:16
Severity ?
3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary
This issue was addressed by adding an additional prompt for user consent. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. Third-party shortcuts may use a legacy action from Automator to send events to apps without user consent.
References
product-security@apple.comhttp://seclists.org/fulldisclosure/2024/Mar/21Mailing List
product-security@apple.comhttp://seclists.org/fulldisclosure/2024/Mar/22Mailing List
product-security@apple.comhttp://seclists.org/fulldisclosure/2024/Mar/23Mailing List
product-security@apple.comhttps://support.apple.com/en-us/HT214083Vendor Advisory
product-security@apple.comhttps://support.apple.com/en-us/HT214084Vendor Advisory
product-security@apple.comhttps://support.apple.com/en-us/HT214085Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/fulldisclosure/2024/Mar/21Mailing List
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/fulldisclosure/2024/Mar/22Mailing List
af854a3a-2127-422b-91ae-364da2661108http://seclists.org/fulldisclosure/2024/Mar/23Mailing List
af854a3a-2127-422b-91ae-364da2661108https://support.apple.com/en-us/HT214083Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://support.apple.com/en-us/HT214084Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://support.apple.com/en-us/HT214085Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://support.apple.com/kb/HT214083
af854a3a-2127-422b-91ae-364da2661108https://support.apple.com/kb/HT214084
af854a3a-2127-422b-91ae-364da2661108https://support.apple.com/kb/HT214085
Impacted products
Vendor Product Version
apple macos *
apple macos *
apple macos *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A61173BD-535F-46FC-B40F-DA78B168E420",
              "versionEndExcluding": "12.7.4",
              "versionStartIncluding": "12.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "69C4F06A-061F-46B3-8BB7-5C9B47C00956",
              "versionEndExcluding": "13.6.5",
              "versionStartIncluding": "13.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "73160D1F-755B-46D2-969F-DF8E43BB1099",
              "versionEndExcluding": "14.4",
              "versionStartIncluding": "14.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "This issue was addressed by adding an additional prompt for user consent. This issue is fixed in macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. Third-party shortcuts may use a legacy action from Automator to send events to apps without user consent."
    },
    {
      "lang": "es",
      "value": "Este problema se solucion\u00f3 agregando una solicitud adicional de consentimiento del usuario. Este problema se solucion\u00f3 en macOS Sonoma 14.4, macOS Monterey 12.7.4, macOS Ventura 13.6.5. Los atajos de terceros pueden utilizar una acci\u00f3n heredada de Automator para enviar eventos a aplicaciones sin el consentimiento del usuario."
    }
  ],
  "id": "CVE-2024-23245",
  "lastModified": "2025-11-04T19:16:41.127",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 3.3,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.5,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-03-08T02:15:48.287",
  "references": [
    {
      "source": "product-security@apple.com",
      "tags": [
        "Mailing List"
      ],
      "url": "http://seclists.org/fulldisclosure/2024/Mar/21"
    },
    {
      "source": "product-security@apple.com",
      "tags": [
        "Mailing List"
      ],
      "url": "http://seclists.org/fulldisclosure/2024/Mar/22"
    },
    {
      "source": "product-security@apple.com",
      "tags": [
        "Mailing List"
      ],
      "url": "http://seclists.org/fulldisclosure/2024/Mar/23"
    },
    {
      "source": "product-security@apple.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://support.apple.com/en-us/HT214083"
    },
    {
      "source": "product-security@apple.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://support.apple.com/en-us/HT214084"
    },
    {
      "source": "product-security@apple.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://support.apple.com/en-us/HT214085"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "http://seclists.org/fulldisclosure/2024/Mar/21"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "http://seclists.org/fulldisclosure/2024/Mar/22"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "http://seclists.org/fulldisclosure/2024/Mar/23"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://support.apple.com/en-us/HT214083"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://support.apple.com/en-us/HT214084"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://support.apple.com/en-us/HT214085"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://support.apple.com/kb/HT214083"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://support.apple.com/kb/HT214084"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://support.apple.com/kb/HT214085"
    }
  ],
  "sourceIdentifier": "product-security@apple.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.