CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Apple : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-7861 20 DoS Exec Code 2014-10-05 2014-10-10
9.3
None Remote Medium Not required Complete Complete Complete
The IOHIDSecurePromptClient function in Apple OS X does not properly validate pointer values, which allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via a crafted web site.
2 CVE-2014-5031 264 +Info 2014-07-29 2014-07-30
5.0
None Remote Low Not required Partial None None
The web interface in CUPS before 2.0 does not check that files have world-readable permissions, which allows remote attackers to obtains sensitive information via unspecified vectors.
3 CVE-2014-5030 59 2014-07-29 2014-07-30
1.9
None Local Medium Not required Partial None None
CUPS before 2.0 allows local users to read arbitrary files via a symlink attack on (1) index.html, (2) index.class, (3) index.pl, (4) index.php, (5) index.pyc, or (6) index.py.
4 CVE-2014-5029 59 2014-07-29 2014-07-30
1.5
None Local Medium Single system Partial None None
The web interface in CUPS 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/ and language[0] set to null. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3537.
5 CVE-2014-4979 119 DoS Exec Code Overflow Mem. Corr. 2014-07-26 2014-09-23
9.3
None Remote Medium Not required Complete Complete Complete
Apple QuickTime allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a malformed version number and flags in an mvhd atom.
6 CVE-2014-4447 310 2014-10-17 2014-10-21
1.9
None Local Medium Not required Partial None None
Profile Manager in Apple OS X Server before 4.0 allows local users to discover cleartext passwords by reading a file after a (1) profile setup or (2) profile edit occurs.
7 CVE-2014-4446 264 Bypass 2014-10-17 2014-10-21
2.1
None Remote High Single system Partial None None
Mail Service in Apple OS X Server before 4.0 does not enforce SACL changes until after a service restart, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging a change made by an administrator.
8 CVE-2014-4444 287 +Priv 2014-10-17 2014-10-21
4.4
None Local Medium Not required Partial Partial Partial
SecurityAgent in Apple OS X before 10.10 does not ensure that a Kerberos ticket is in the cache for the correct user, which allows local users to gain privileges in opportunistic circumstances by leveraging a Fast User Switching login.
9 CVE-2014-4443 20 DoS 2014-10-17 2014-10-21
7.1
None Remote Medium Not required None None Complete
Apple OS X before 10.10 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted ASN.1 data.
10 CVE-2014-4442 20 DoS 2014-10-17 2014-10-21
4.7
None Local Medium Not required None None Complete
The kernel in Apple OS X before 10.10 allows local users to cause a denial of service (panic) via a message to a system control socket.
11 CVE-2014-4441 264 2014-10-17 2014-10-21
6.8
None Remote Medium Not required Partial Partial Partial
NetFS Client Framework in Apple OS X before 10.10 does not ensure that the disabling of File Sharing is always possible, which allows remote attackers to read or write to files by leveraging a state in which File Sharing is permanently enabled.
12 CVE-2014-4440 16 +Info 2014-10-17 2014-10-21
2.6
None Remote High Not required Partial None None
The MCX Desktop Config Profiles implementation in Apple OS X before 10.10 retains web-proxy settings from uninstalled mobile-configuration profiles, which allows remote attackers to obtain sensitive information in opportunistic circumstances by leveraging access to an unintended proxy server.
13 CVE-2014-4439 200 +Info 2014-10-17 2014-10-21
2.6
None Remote High Not required Partial None None
Mail in Apple OS X before 10.10 does not properly recognize the removal of a recipient address from a message, which makes it easier for remote attackers to obtain sensitive information in opportunistic circumstances by reading a message intended exclusively for other recipients.
14 CVE-2014-4438 362 2014-10-17 2014-10-21
4.4
None Local Medium Not required Partial Partial Partial
Race condition in LoginWindow in Apple OS X before 10.10 allows physically proximate attackers to obtain access by leveraging an unattended workstation on which screen locking had been attempted.
15 CVE-2014-4437 20 Bypass 2014-10-17 2014-10-21
4.3
None Remote Medium Not required None Partial None
LaunchServices in Apple OS X before 10.10 allows attackers to bypass intended sandbox restrictions via an application that specifies a crafted handler for the Content-Type field of an object.
16 CVE-2014-4436 94 DoS 2014-10-17 2014-10-21
5.4
None Remote High Not required None None Complete
IOHIDFamily in Apple OS X before 10.10 allows attackers to cause denial of service (out-of-bounds read operation) via a crafted application.
17 CVE-2014-4435 287 2014-10-17 2014-10-21
4.4
None Local Medium Not required Partial Partial Partial
The "iCloud Find My Mac" feature in Apple OS X before 10.10 does not properly enforce rate limiting of lost-mode PIN entry, which makes it easier for physically proximate attackers to obtain access via a brute-force attack involving a series of reboots.
18 CVE-2014-4434 20 DoS 2014-10-17 2014-10-21
4.9
None Local Low Not required None None Complete
The kernel in Apple OS X before 10.10 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted filename on an HFS filesystem.
19 CVE-2014-4433 119 Exec Code Overflow 2014-10-17 2014-10-21
4.4
None Local Medium Not required Partial Partial Partial
Heap-based buffer overflow in the kernel in Apple OS X before 10.10 allows physically proximate attackers to execute arbitrary code via crafted resource forks in an HFS filesystem.
20 CVE-2014-4432 310 2014-10-17 2014-10-21
4.0
None Local High Not required Complete None None
fdesetup in Apple OS X before 10.10 does not properly display the encryption status in between a setting-update action and a reboot action, which might make it easier for physically proximate attackers to obtain cleartext data by leveraging ignorance of the reboot requirement.
21 CVE-2014-4431 287 2014-10-17 2014-10-21
4.6
None Local Low Not required Partial Partial Partial
Dock in Apple OS X before 10.10 does not properly manage the screen-lock state, which allows physically proximate attackers to view windows by leveraging an unattended workstation.
22 CVE-2014-4430 310 2014-10-17 2014-10-21
4.0
None Local High Not required Complete None None
CoreStorage in Apple OS X before 10.10 retains a volume's encryption keys upon an eject action in the unlocked state, which makes it easier for physically proximate attackers to obtain cleartext data via a remount.
23 CVE-2014-4428 310 2014-10-17 2014-10-21
5.4
None Local Network Medium Not required Partial Partial Partial
Bluetooth in Apple OS X before 10.10 does not require encryption for HID Low Energy devices, which allows remote attackers to spoof a device by leveraging previous pairing.
24 CVE-2014-4427 264 Bypass 2014-10-17 2014-10-21
5.0
None Remote Low Not required None Partial None
App Sandbox in Apple OS X before 10.10 allows attackers to bypass a sandbox protection mechanism via the accessibility API.
25 CVE-2014-4426 200 +Info 2014-10-17 2014-10-21
4.3
None Remote Medium Not required Partial None None
AFP File Server in Apple OS X before 10.10 allows remote attackers to discover the network addresses of all interfaces via an unspecified command to one interface.
26 CVE-2014-4425 287 2014-10-17 2014-10-21
4.6
None Local Low Not required Partial Partial Partial
CFPreferences in Apple OS X before 10.10 does not properly enforce the "require password after sleep or screen saver begins" setting, which makes it easier for physically proximate attackers to obtain access by leveraging an unattended workstation.
27 CVE-2014-4424 89 Exec Code Sql 2014-09-19 2014-09-19
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Wiki Server in CoreCollaboration in Apple OS X Server before 2.2.3 and 3.x before 3.2.1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
28 CVE-2014-4423 264 Bypass 2014-09-18 2014-09-18
4.3
None Remote Medium Not required Partial None None
The Accounts subsystem in Apple iOS before 8 allows attackers to bypass a sandbox protection mechanism and obtain an active iCloud account's Apple ID and metadata via a crafted application.
29 CVE-2014-4422 310 Bypass 2014-09-18 2014-09-18
6.8
None Remote Medium Not required Partial Partial Partial
The kernel in Apple iOS before 8 and Apple TV before 7 uses a predictable random number generator during the early portion of the boot process, which allows attackers to bypass certain kernel-hardening protection mechanisms by using a user-space process to observe data related to the random numbers.
30 CVE-2014-4421 +Info 2014-09-18 2014-09-18
1.9
None Local Medium Not required Partial None None
The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4371, CVE-2014-4419, and CVE-2014-4420.
31 CVE-2014-4420 +Info 2014-09-18 2014-09-18
1.9
None Local Medium Not required Partial None None
The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4371, CVE-2014-4419, and CVE-2014-4421.
32 CVE-2014-4419 +Info 2014-09-18 2014-09-18
1.9
None Local Medium Not required Partial None None
The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4371, CVE-2014-4420, and CVE-2014-4421.
33 CVE-2014-4418 20 Exec Code 2014-09-18 2014-09-18
9.3
None Remote Medium Not required Complete Complete Complete
IOKit in Apple iOS before 8 and Apple TV before 7 does not properly validate IODataQueue object metadata, which allows attackers to execute arbitrary code in a privileged context via an application that provides crafted values in unspecified metadata fields, a different vulnerability than CVE-2014-4388.
34 CVE-2014-4417 20 DoS 2014-10-17 2014-10-21
5.4
None Remote High Not required None None Complete
Safari in Apple OS X before 10.10 allows remote attackers to cause a denial of service (universal Push Notification outage) via a web site that triggers an uncaught SafariNotificationAgent exception by providing a crafted Push Notification.
35 CVE-2014-4416 20 Exec Code 2014-09-19 2014-09-19
6.9
None Local Medium Not required Complete Complete Complete
An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, and CVE-2014-4401.
36 CVE-2014-4415 119 DoS Exec Code Overflow Mem. Corr. 2014-09-18 2014-09-23
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2.
37 CVE-2014-4414 119 DoS Exec Code Overflow Mem. Corr. 2014-09-18 2014-09-23
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2.
38 CVE-2014-4413 119 DoS Exec Code Overflow Mem. Corr. 2014-09-18 2014-09-23
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2.
39 CVE-2014-4412 119 DoS Exec Code Overflow Mem. Corr. 2014-09-18 2014-09-23
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2.
40 CVE-2014-4411 119 DoS Exec Code Overflow Mem. Corr. 2014-09-18 2014-09-23
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2.
41 CVE-2014-4410 119 DoS Exec Code Overflow Mem. Corr. 2014-09-18 2014-09-23
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2.
42 CVE-2014-4409 200 +Info 2014-09-18 2014-09-28
4.3
None Remote Medium Not required Partial None None
WebKit in Apple iOS before 8 makes it easier for remote attackers to track users during private browsing via a crafted web site that reads HTML5 application-cache data that had been stored during normal browsing.
43 CVE-2014-4408 119 DoS Overflow +Priv 2014-09-18 2014-09-18
6.9
None Local Medium Not required Complete Complete Complete
The rt_setgate function in the kernel in Apple iOS before 8 and Apple TV before 7 allows local users to gain privileges or cause a denial of service (out-of-bounds read and device crash) via a crafted call.
44 CVE-2014-4407 +Info 2014-09-18 2014-09-18
4.3
None Remote Medium Not required Partial None None
IOKit in Apple iOS before 8 and Apple TV before 7 does not properly initialize kernel memory, which allows attackers to obtain sensitive memory-content information via an application that makes crafted IOKit function calls.
45 CVE-2014-4406 79 XSS 2014-09-19 2014-09-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Xcode Server in CoreCollaboration in Apple OS X Server before 3.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
46 CVE-2014-4405 DoS Exec Code 2014-09-18 2014-09-18
9.3
None Remote Medium Not required Complete Complete Complete
IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via an application that provides crafted key-mapping properties.
47 CVE-2014-4404 119 Exec Code Overflow 2014-09-18 2014-09-18
9.3
None Remote Medium Not required Complete Complete Complete
Heap-based buffer overflow in IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context via an application that provides crafted key-mapping properties.
48 CVE-2014-4403 200 Bypass +Info 2014-09-19 2014-09-19
2.1
None Local Low Not required Partial None None
The kernel in Apple OS X before 10.9.5 allows local users to obtain sensitive address information and bypass the ASLR protection mechanism by leveraging predictability of the location of the CPU Global Descriptor Table.
49 CVE-2014-4402 119 Exec Code Overflow 2014-09-19 2014-09-19
9.3
None Remote Medium Not required Complete Complete Complete
An unspecified IOAcceleratorFamily function in Apple OS X before 10.9.5 lacks proper bounds checking on read operations, which allows attackers to execute arbitrary code in a privileged context via a crafted application.
50 CVE-2014-4401 20 Exec Code 2014-09-19 2014-09-19
6.9
None Local Medium Not required Complete Complete Complete
An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, and CVE-2014-4416.
Total number of vulnerabilities : 2386   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.