CVE-2024-23230: An app may be able to access sensitive user data in Apple macOS
CVE-2024-23230 is a vulnerability in Apple macOS (Monterey 12. 7. 4, Ventura 13. 6. 5, Sonoma 14. 4) affecting the Shortcuts app. It allows a shortcut to use sensitive data with certain actions without prompting the user. The issue was addressed by adding additional permissions checks. This vulnerability has a CVSS score of 5. 5 (medium severity) and does not require user interaction for exploitation but requires local access with low privileges.
AI Analysis
Technical Summary
CVE-2024-23230 is a logic flaw in the Shortcuts component of macOS that could allow a shortcut to access sensitive user data through certain actions without displaying a prompt to the user. This bypass of expected permission prompts could lead to unauthorized use of sensitive data by shortcuts. Apple fixed the issue by implementing additional permissions checks to ensure user consent is properly enforced. The vulnerability affects macOS Monterey 12.7.4, Ventura 13.6.5, and Sonoma 14.4, where the fix has been applied.
Potential Impact
An attacker or malicious shortcut running with low privileges on a vulnerable macOS system could access sensitive user data without user consent or prompting. This could lead to unauthorized disclosure of sensitive information. The CVSS vector indicates local attack vector with low complexity and no user interaction required. There are no known exploits in the wild at this time.
Mitigation Recommendations
Apple has released official patches in macOS Monterey 12.7.4, macOS Ventura 13.6.5, and macOS Sonoma 14.4 that address this vulnerability by adding additional permissions checks. Users and administrators should apply these updates promptly to remediate the issue. No other mitigation steps are indicated by the vendor advisory.
CVE-2024-23230: An app may be able to access sensitive user data in Apple macOS
Description
CVE-2024-23230 is a vulnerability in Apple macOS (Monterey 12. 7. 4, Ventura 13. 6. 5, Sonoma 14. 4) affecting the Shortcuts app. It allows a shortcut to use sensitive data with certain actions without prompting the user. The issue was addressed by adding additional permissions checks. This vulnerability has a CVSS score of 5. 5 (medium severity) and does not require user interaction for exploitation but requires local access with low privileges.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-23230 is a logic flaw in the Shortcuts component of macOS that could allow a shortcut to access sensitive user data through certain actions without displaying a prompt to the user. This bypass of expected permission prompts could lead to unauthorized use of sensitive data by shortcuts. Apple fixed the issue by implementing additional permissions checks to ensure user consent is properly enforced. The vulnerability affects macOS Monterey 12.7.4, Ventura 13.6.5, and Sonoma 14.4, where the fix has been applied.
Potential Impact
An attacker or malicious shortcut running with low privileges on a vulnerable macOS system could access sensitive user data without user consent or prompting. This could lead to unauthorized disclosure of sensitive information. The CVSS vector indicates local attack vector with low complexity and no user interaction required. There are no known exploits in the wild at this time.
Mitigation Recommendations
Apple has released official patches in macOS Monterey 12.7.4, macOS Ventura 13.6.5, and macOS Sonoma 14.4 that address this vulnerability by adding additional permissions checks. Users and administrators should apply these updates promptly to remediate the issue. No other mitigation steps are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apple
- Date Reserved
- 2024-01-12T22:22:21.479Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 690a474e6d939959c8022593
Added to database: 11/4/2025, 6:34:54 PM
Last enriched: 4/9/2026, 11:00:24 PM
Last updated: 5/9/2026, 8:39:28 AM
Views: 62
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.