CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Apple : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-3027 264 Bypass 2015-04-10 2015-04-17
5.0
None Remote Low Not required None Partial None
Clang in LLVM, as used in Apple Xcode before 6.3, performs incorrect register allocation in a way that triggers stack storage for stack cookie pointers, which might allow context-dependent attackers to bypass a stack-guard protection mechanism via crafted input to an affected C program.
2 CVE-2015-2808 310 2015-03-31 2015-04-01
4.3
None Remote Medium Not required Partial None None
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
3 CVE-2015-1212 DoS 2015-02-06 2015-03-11
7.5
None Remote Low Not required Partial Partial Partial
Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
4 CVE-2015-1211 264 +Priv 2015-02-06 2015-03-11
7.5
None Remote Low Not required Partial Partial Partial
The OriginCanAccessServiceWorkers function in content/browser/service_worker/service_worker_dispatcher_host.cc in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android does not properly restrict the URI scheme during a ServiceWorker registration, which allows remote attackers to gain privileges via a filesystem: URI.
5 CVE-2015-1210 264 Bypass 2015-02-06 2015-03-11
5.0
None Remote Low Not required None Partial None
The V8ThrowException::createDOMException function in bindings/core/v8/V8ThrowException.cpp in the V8 bindings in Blink, as used in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android, does not properly consider frame access restrictions during the throwing of an exception, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
6 CVE-2015-1209 DoS 2015-02-06 2015-03-11
7.5
None Remote Low Not required Partial Partial Partial
Use-after-free vulnerability in the VisibleSelection::nonBoundaryShadowTreeRootNode function in core/editing/VisibleSelection.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers improper handling of a shadow-root anchor.
7 CVE-2015-1149 189 DoS Overflow 2015-04-10 2015-04-14
7.5
None Remote Low Not required Partial Partial Partial
Integer overflow in the simulator in Swift in Apple Xcode before 6.3 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact by triggering an incorrect result of a type conversion.
8 CVE-2015-1148 200 +Info 2015-04-10 2015-04-14
5.0
None Remote Low Not required Partial None None
Screen Sharing in Apple OS X before 10.10.3 stores the password of a user in a log file, which might allow context-dependent attackers to obtain sensitive information by reading this file.
9 CVE-2015-1147 200 +Info 2015-04-10 2015-04-14
5.0
None Remote Low Not required Partial None None
Open Directory Client in Apple OS X before 10.10.3 sends unencrypted password-change requests in certain circumstances involving missing certificates, which allows remote attackers to obtain sensitive information by sniffing the network.
10 CVE-2015-1146 310 Bypass 2015-04-10 2015-04-14
1.9
None Local Medium Not required None Partial None
The Code Signing implementation in Apple OS X before 10.10.3 does not properly validate signatures, which allows local users to bypass intended access restrictions via a crafted bundle, a different vulnerability than CVE-2015-1145.
11 CVE-2015-1145 310 Bypass 2015-04-10 2015-04-14
1.9
None Local Medium Not required None Partial None
The Code Signing implementation in Apple OS X before 10.10.3 does not properly validate signatures, which allows local users to bypass intended access restrictions via a crafted bundle, a different vulnerability than CVE-2015-1146.
12 CVE-2015-1144 119 Overflow +Priv 2015-04-10 2015-04-14
7.2
None Local Low Not required Complete Complete Complete
Buffer overflow in the UniformTypeIdentifiers component in Apple OS X before 10.10.3 allows local users to gain privileges via a crafted Uniform Type Identifier.
13 CVE-2015-1143 +Priv 2015-04-10 2015-04-14
7.2
None Local Low Not required Complete Complete Complete
LaunchServices in Apple OS X before 10.10.3 allows local users to gain privileges via a crafted localized string, related to a "type confusion" issue.
14 CVE-2015-1142 20 DoS 2015-04-10 2015-04-14
2.1
None Local Low Not required None None Partial
LaunchServices in Apple OS X before 10.10.3 allows local users to cause a denial of service (Finder crash) via crafted localization data.
15 CVE-2015-1141 DoS 2015-04-10 2015-04-14
4.9
None Local Low Not required None None Complete
The mach_vm_read functionality in the kernel in Apple OS X before 10.10.3 allows local users to cause a denial of service (system crash) via unspecified vectors.
16 CVE-2015-1140 119 Overflow +Priv 2015-04-10 2015-04-14
7.2
None Local Low Not required Complete Complete Complete
Buffer overflow in IOHIDFamily in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors.
17 CVE-2015-1139 20 DoS Exec Code Mem. Corr. 2015-04-10 2015-04-14
6.8
None Remote Medium Not required Partial Partial Partial
ImageIO in Apple OS X before 10.10.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted .sgi file.
18 CVE-2015-1138 20 DoS 2015-04-10 2015-04-14
4.9
None Local Low Not required None None Complete
Hypervisor in Apple OS X before 10.10.3 allows local users to cause a denial of service via unspecified vectors.
19 CVE-2015-1137 DoS +Priv 2015-04-10 2015-04-14
7.2
None Local Low Not required Complete Complete Complete
The NVIDIA graphics driver in Apple OS X before 10.10.3 allows local users to gain privileges or cause a denial of service (NULL pointer dereference) via an unspecified IOService userclient type.
20 CVE-2015-1136 Exec Code 2015-04-10 2015-04-14
6.8
None Remote Medium Not required Partial Partial Partial
Use-after-free vulnerability in CoreAnimation in Apple OS X before 10.10.3 allows remote attackers to execute arbitrary code by leveraging improper use of a mutex.
21 CVE-2015-1135 20 +Priv 2015-04-10 2015-04-14
7.2
None Local Low Not required Complete Complete Complete
fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015-1131, CVE-2015-1132, CVE-2015-1133, and CVE-2015-1134.
22 CVE-2015-1134 20 +Priv 2015-04-10 2015-04-14
7.2
None Local Low Not required Complete Complete Complete
fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015-1131, CVE-2015-1132, CVE-2015-1133, and CVE-2015-1135.
23 CVE-2015-1133 20 +Priv 2015-04-10 2015-04-14
7.2
None Local Low Not required Complete Complete Complete
fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015-1131, CVE-2015-1132, CVE-2015-1134, and CVE-2015-1135.
24 CVE-2015-1132 20 +Priv 2015-04-10 2015-04-14
10.0
None Remote Low Not required Complete Complete Complete
fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015-1131, CVE-2015-1133, CVE-2015-1134, and CVE-2015-1135.
25 CVE-2015-1131 20 +Priv 2015-04-10 2015-04-14
7.2
None Local Low Not required Complete Complete Complete
fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015-1132, CVE-2015-1133, CVE-2015-1134, and CVE-2015-1135.
26 CVE-2015-1130 254 Bypass 2015-04-10 2015-04-14
7.2
None Local Low Not required Complete Complete Complete
The XPC implementation in Admin Framework in Apple OS X before 10.10.3 allows local users to bypass authentication and obtain admin privileges via unspecified vectors.
27 CVE-2015-1129 310 2015-04-10 2015-04-14
4.3
None Remote Medium Not required Partial None None
Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5 does not properly select X.509 client certificates, which makes it easier for remote attackers to track users via a crafted web site.
28 CVE-2015-1128 200 +Info 2015-04-10 2015-04-14
5.0
None Remote Low Not required Partial None None
The private-browsing implementation in Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5 allows attackers to obtain sensitive browsing-history information via vectors involving push-notification requests.
29 CVE-2015-1127 200 +Info 2015-04-10 2015-04-14
2.1
None Local Low Not required Partial None None
The private-browsing implementation in WebKit in Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5 places browsing history into an index, which might allow local users to obtain sensitive information by reading index entries.
30 CVE-2015-1126 20 2015-04-10 2015-04-14
4.3
None Remote Medium Not required Partial None None
WebKit, as used in Apple iOS before 8.3 and Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, does not properly handle the userinfo field in FTP URLs, which allows remote attackers to trigger incorrect resource access via unspecified vectors.
31 CVE-2015-1125 17 2015-04-10 2015-04-14
4.3
None Remote Medium Not required None Partial None
The touch-events implementation in WebKit in Apple iOS before 8.3 allows remote attackers to trigger an association between a tap and an unintended web resource via a crafted web site.
32 CVE-2015-1124 DoS Exec Code Mem. Corr. 2015-04-10 2015-04-14
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 8.3, Apple TV before 7.2, and Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2015-04-08-1, APPLE-SA-2015-04-08-3, and APPLE-SA-2015-04-08-4.
33 CVE-2015-1123 DoS Exec Code Mem. Corr. 2015-04-10 2015-04-14
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 8.3 and Apple TV before 7.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2015-04-08-3 and APPLE-SA-2015-04-08-4.
34 CVE-2015-1122 DoS Exec Code Mem. Corr. 2015-04-10 2015-04-14
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 8.3, Apple TV before 7.2, and Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2015-04-08-1, APPLE-SA-2015-04-08-3, and APPLE-SA-2015-04-08-4.
35 CVE-2015-1121 DoS Exec Code Mem. Corr. 2015-04-10 2015-04-14
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 8.3, Apple TV before 7.2, and Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2015-04-08-1, APPLE-SA-2015-04-08-3, and APPLE-SA-2015-04-08-4.
36 CVE-2015-1120 DoS Exec Code Mem. Corr. 2015-04-10 2015-04-14
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 8.3, Apple TV before 7.2, and Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2015-04-08-1, APPLE-SA-2015-04-08-3, and APPLE-SA-2015-04-08-4.
37 CVE-2015-1119 DoS Exec Code Mem. Corr. 2015-04-10 2015-04-14
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 8.3, Apple TV before 7.2, and Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2015-04-08-1, APPLE-SA-2015-04-08-3, and APPLE-SA-2015-04-08-4.
38 CVE-2015-1118 DoS Mem. Corr. 2015-04-10 2015-04-14
5.0
None Remote Low Not required None None Partial
libnetcore in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 allows attackers to cause a denial of service (memory corruption and application crash) via a crafted configuration profile.
39 CVE-2015-1117 264 Exec Code 2015-04-10 2015-04-14
6.9
None Local Medium Not required Complete Complete Complete
The (1) setreuid and (2) setregid system-call implementations in the kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 do not properly perform privilege drops, which makes it easier for attackers to execute code with unintended user or group privileges via a crafted app.
40 CVE-2015-1116 200 +Info 2015-04-10 2015-04-14
2.1
None Local Low Not required Partial None None
The UIKit View component in Apple iOS before 8.3 displays unblurred application snapshots in the Task Switcher, which makes it easier for physically proximate attackers to obtain sensitive information by reading the device screen.
41 CVE-2015-1115 284 Bypass 2015-04-10 2015-04-14
4.4
None Local Medium Not required Partial Partial Partial
The Telephony component in Apple iOS before 8.3 allows attackers to bypass a sandbox protection mechanism and access unintended telephone capabilities via a crafted app.
42 CVE-2015-1114 200 +Info 2015-04-10 2015-04-14
1.9
None Local Medium Not required Partial None None
The Sandbox Profiles component in Apple iOS before 8.3 and Apple TV before 7.2 allows attackers to discover hardware identifiers via a crafted app.
43 CVE-2015-1113 200 +Info 2015-04-10 2015-04-14
1.9
None Local Medium Not required Partial None None
The Sandbox Profiles component in Apple iOS before 8.3 allows attackers to read the (1) telephone number or (2) e-mail address of a recent contact via a crafted app.
44 CVE-2015-1112 200 +Info 2015-04-10 2015-04-14
5.0
None Remote Low Not required Partial None None
Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, as used on iOS before 8.3 and other platforms, does not properly delete browsing-history data from the history.plist file, which allows attackers to obtain sensitive information by reading this file.
45 CVE-2015-1111 200 +Info 2015-04-10 2015-04-14
5.0
None Remote Low Not required Partial None None
Safari in Apple iOS before 8.3 does not delete Recently Closed Tabs data in response to a history-clearing action, which allows attackers to obtain sensitive information by reading a history file.
46 CVE-2015-1110 200 +Info 2015-04-10 2015-04-14
5.0
None Remote Low Not required Partial None None
The Podcasts component in Apple iOS before 8.3 and Apple TV before 7.2 allows remote attackers to discover unique identifiers by reading asset-download request data.
47 CVE-2015-1109 200 +Info 2015-04-10 2015-04-14
2.1
None Local Low Not required Partial None None
NetworkExtension in Apple iOS before 8.3 stores credentials in VPN configuration logs, which makes it easier for physically proximate attackers to obtain sensitive information by reading a log file.
48 CVE-2015-1108 200 +Info 2015-04-10 2015-04-14
2.1
None Local Low Not required Partial None None
The Lock Screen component in Apple iOS before 8.3 does not properly enforce the limit on incorrect passcode-authentication attempts, which makes it easier for physically proximate attackers to obtain access by making many passcode guesses.
49 CVE-2015-1107 2015-04-10 2015-04-14
1.9
None Local Medium Not required None Partial None
The Lock Screen component in Apple iOS before 8.3 does not properly implement the erasure feature for incorrect passcode-authentication attempts, which makes it easier for physically proximate attackers to obtain access by making many passcode guesses.
50 CVE-2015-1106 200 +Info 2015-04-10 2015-04-14
2.1
None Local Low Not required Partial None None
The QuickType feature in the Keyboards subsystem in Apple iOS before 8.3 allows physically proximate attackers to discover passcodes by reading the lock screen during use of a Bluetooth keyboard.
Total number of vulnerabilities : 2576   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.