CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Apple : Security Vulnerabilities (CVSS score between 4 and 4.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-7116 119 DoS Overflow Mem. Corr. +Info 2016-01-09 2016-01-11
4.3
None Remote Medium Not required Partial None None
libxml2 in Apple iOS before 9.2, OS X before 10.11.2, and tvOS before 9.1 allows remote attackers to obtain sensitive information or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2015-7115.
2 CVE-2015-7115 119 DoS Overflow Mem. Corr. +Info 2016-01-09 2016-01-11
4.3
None Remote Medium Not required Partial None None
libxml2 in Apple iOS before 9.2, OS X before 10.11.2, and tvOS before 9.1 allows remote attackers to obtain sensitive information or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2015-7116.
3 CVE-2015-7093 20 2015-12-11 2015-12-11
4.3
None Remote Medium Not required None Partial None
Safari in Apple iOS before 9.2 allows remote attackers to spoof a URL in the user interface via a crafted web site.
4 CVE-2015-7062 264 Bypass 2015-12-11 2015-12-11
4.6
None Local Low Not required Partial Partial Partial
Apple OS X before 10.11.2 and tvOS before 9.1 allow local users to bypass intended configuration-profile installation restrictions via unspecified vectors.
5 CVE-2015-7058 200 +Info 2015-12-11 2015-12-11
4.3
None Remote Medium Not required Partial None None
Apple iOS before 9.2, OS X before 10.11.2, and tvOS before 9.1 improperly validate keychain item ACLs, which allows attackers to obtain access to keychain items via a crafted app.
6 CVE-2015-7057 119 DoS Overflow +Priv Mem. Corr. 2015-12-11 2015-12-11
4.6
None Local Low Not required Partial Partial Partial
otools in Apple Xcode before 7.2 allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted mach-o file, a different vulnerability than CVE-2015-7049.
7 CVE-2015-7050 200 +Info 2015-12-11 2015-12-11
4.3
None Remote Medium Not required Partial None None
WebKit in Apple iOS before 9.2 and Safari before 9.0.2 misparses content extensions, which allows remote attackers to obtain sensitive browsing-history information via a crafted web site.
8 CVE-2015-7049 119 DoS Overflow +Priv Mem. Corr. 2015-12-11 2015-12-11
4.6
None Local Low Not required Partial Partial Partial
otools in Apple Xcode before 7.2 allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted mach-o file, a different vulnerability than CVE-2015-7057.
9 CVE-2015-7043 DoS 2015-12-11 2015-12-11
4.3
None Remote Medium Not required None None Partial
The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 allows attackers to cause a denial of service via a crafted app, a different vulnerability than CVE-2015-7040, CVE-2015-7041, and CVE-2015-7042.
10 CVE-2015-7042 DoS 2015-12-11 2015-12-11
4.3
None Remote Medium Not required None None Partial
The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 allows attackers to cause a denial of service via a crafted app, a different vulnerability than CVE-2015-7040, CVE-2015-7041, and CVE-2015-7043.
11 CVE-2015-7041 DoS 2015-12-11 2015-12-11
4.3
None Remote Medium Not required None None Partial
The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 allows attackers to cause a denial of service via a crafted app, a different vulnerability than CVE-2015-7040, CVE-2015-7042, and CVE-2015-7043.
12 CVE-2015-7040 DoS 2015-12-11 2015-12-11
4.3
None Remote Medium Not required None None Partial
The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 allows attackers to cause a denial of service via a crafted app, a different vulnerability than CVE-2015-7041, CVE-2015-7042, and CVE-2015-7043.
13 CVE-2015-7022 200 +Info 2015-10-23 2015-10-23
4.3
None Remote Medium Not required Partial None None
The Telephony subsystem in Apple iOS before 9.1 allows attackers to obtain sensitive call-status information via a crafted app.
14 CVE-2015-6997 254 2015-10-23 2015-12-11
4.3
None Remote Medium Not required None Partial None
The X.509 certificate-trust implementation in Apple iOS before 9.1 does not recognize that the kSecRevocationRequirePositiveResponse flag implies a revocation-checking requirement, which makes it easier for man-in-the-middle attackers to spoof endpoints by leveraging access to a revoked certificate.
15 CVE-2015-5943 254 Bypass 2015-10-23 2015-10-26
4.3
None Remote Medium Not required None Partial None
SecurityAgent in Apple OS X before 10.11.1 does not prevent synthetic clicks from reaching keychain windows, which allows attackers to bypass intended access restrictions via a crafted app.
16 CVE-2015-5921 200 +Info 2015-09-18 2015-09-18
4.3
None Remote Medium Not required Partial None None
WebKit in Apple iOS before 9 mishandles "Content-Disposition: attachment" HTTP headers, which might allow man-in-the-middle attackers to obtain sensitive information via unspecified vectors.
17 CVE-2015-5920 2015-09-18 2015-09-22
4.3
None Remote Medium Not required Partial None None
The Software Update component in Apple iTunes before 12.3 does not properly handle redirection, which allows man-in-the-middle attackers to discover encrypted SMB credentials via unspecified vectors.
18 CVE-2015-5916 200 +Info 2015-09-18 2015-10-28
4.3
None Remote Medium Not required Partial None None
The Apple Pay component in Apple iOS before 9 allows remote terminals to obtain sensitive recent-transaction information during payments by leveraging the transaction-log feature.
19 CVE-2015-5914 17 2015-10-09 2015-10-09
4.7
None Local Medium Not required None Complete None
The EFI component in Apple OS X before 10.11 allows physically proximate attackers to modify firmware during the EFI update process by inserting an Apple Ethernet Thunderbolt adapter with crafted code in an Option ROM, aka a "Thunderstrike" issue. NOTE: this issue exists because of an incomplete fix for CVE-2014-4498.
20 CVE-2015-5904 254 2015-09-18 2015-09-18
4.3
None Remote Medium Not required None Partial None
Safari in Apple iOS before 9 allows remote attackers to spoof the relationship between URLs and web content via a crafted web site.
21 CVE-2015-5902 DoS 2015-10-09 2015-10-09
4.9
None Local Low Not required None None Complete
The debugging feature in the kernel in Apple OS X before 10.11 mismanages state, which allows local users to cause a denial of service via unspecified vectors.
22 CVE-2015-5897 264 +Priv 2015-10-09 2015-10-09
4.6
None Local Low Not required Partial Partial Partial
The Address Book framework in Apple OS X before 10.11 allows local users to gain privileges by using an environment variable to inject code into processes that rely on this framework.
23 CVE-2015-5894 17 2015-10-09 2015-10-09
4.3
None Remote Medium Not required None Partial None
The X.509 certificate-trust implementation in Apple OS X before 10.11 does not recognize that the kSecRevocationRequirePositiveResponse flag implies a revocation-checking requirement, which makes it easier for man-in-the-middle attackers to spoof endpoints by leveraging access to a revoked certificate.
24 CVE-2015-5880 200 Bypass +Info 2015-09-18 2015-09-18
4.3
None Remote Medium Not required Partial None None
CoreAnimation in Apple iOS before 9 allows attackers to bypass intended IOSurface restrictions and obtain screen-framebuffer access via a crafted background app.
25 CVE-2015-5865 200 +Info 2015-10-09 2015-10-09
4.3
None Remote Medium Not required Partial None None
IOGraphics in Apple OS X before 10.11 allows attackers to obtain sensitive kernel memory-layout information via a crafted app.
26 CVE-2015-5862 119 DoS Overflow Mem. Corr. 2015-09-18 2015-10-13
4.3
None Remote Medium Not required None None Partial
The Audio component in Apple iOS before 9 allows remote attackers to cause a denial of service (memory corruption and application crash) via a crafted audio file.
27 CVE-2015-5859 200 +Info 2015-11-21 2015-11-30
4.3
None Remote Medium Not required Partial None None
The CFNetwork HTTPProtocol component in Apple iOS before 9 and OS X before 10.11 does not properly recognize the HSTS preload list during a Safari private-browsing session, which makes it easier for remote attackers to obtain sensitive information by sniffing the network.
28 CVE-2015-5856 254 DoS 2015-09-18 2015-09-18
4.3
None Remote Medium Not required None None Partial
The Application Store component in Apple iOS before 9 allows remote attackers to cause a denial of service to an enterprise-signed app via a crafted ITMS URL.
29 CVE-2015-5855 200 +Info 2015-09-18 2015-10-13
4.3
None Remote Medium Not required Partial None None
Apple iOS before 9 allows attackers to discover the e-mail address of a player via a crafted Game Center app.
30 CVE-2015-5838 284 2015-09-18 2015-09-18
4.3
None Remote Medium Not required None Partial None
SpringBoard in Apple iOS before 9 does not properly restrict access to privileged API calls, which allows attackers to spoof the dialog windows of an arbitrary app via a crafted app.
31 CVE-2015-5837 20 Bypass 2015-09-18 2015-10-09
4.3
None Remote Medium Not required None Partial None
PluginKit in Apple iOS before 9 allows attackers to bypass an intended app-trust requirement and install arbitrary extensions via a crafted enterprise app.
32 CVE-2015-5836 200 +Info 2015-10-09 2015-10-09
4.3
None Remote Medium Not required Partial None None
Apple Online Store Kit in Apple OS X before 10.11 improperly validates iCloud keychain item ACLs, which allows attackers to obtain access to keychain items via a crafted app.
33 CVE-2015-5835 200 +Info 2015-09-18 2015-09-18
4.3
None Remote Medium Not required Partial None None
Apple iOS before 9 allows attackers to obtain sensitive information about inter-app communication via a crafted app that conducts an interception attack involving an unspecified URL scheme.
34 CVE-2015-5834 200 +Info 2015-09-18 2015-10-09
4.3
None Remote Medium Not required Partial None None
IOAcceleratorFamily in Apple iOS before 9 allows attackers to obtain sensitive kernel memory-layout information via a crafted app.
35 CVE-2015-5828 20 Bypass 2015-10-09 2015-10-09
4.3
None Remote Medium Not required None Partial None
The API in the WebKit Plug-ins component in Apple Safari before 9 does not provide notification of an HTTP Redirection (aka 3xx) status code to a plugin, which allows remote attackers to bypass intended request restrictions via a crafted web site.
36 CVE-2015-5826 284 Bypass 2015-09-18 2015-10-20
4.3
None Remote Medium Not required None Partial None
WebKit in Apple iOS before 9 does not properly select the cases in which a Cascading Style Sheets (CSS) document is required to have the text/css content type, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
37 CVE-2015-5825 200 +Info 2015-09-18 2015-10-20
4.3
None Remote Medium Not required Partial None None
WebKit in Apple iOS before 9 does not properly restrict the availability of Performance API times, which allows remote attackers to obtain sensitive information about the browser history, mouse movement, or network traffic via crafted JavaScript code.
38 CVE-2015-5824 310 +Info 2015-09-18 2015-10-20
4.3
None Local Network Medium Not required Partial Partial None
The NSURL implementation in the CFNetwork SSL component in Apple iOS before 9 does not properly verify X.509 certificates from SSL servers after a certificate change, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
39 CVE-2015-5820 20 2015-09-18 2015-11-30
4.3
None Remote Medium Not required None Partial None
WebKit in Apple iOS before 9 allows remote attackers to trigger a dialing action via a crafted (1) tel://, (2) facetime://, or (3) facetime-audio:// URL.
40 CVE-2015-5788 200 Bypass +Info 2015-09-18 2015-10-21
4.3
None Remote Medium Not required Partial None None
The WebKit Canvas implementation in Apple iOS before 9 allows remote attackers to bypass the Same Origin Policy and obtain sensitive image information via vectors involving a CANVAS element.
41 CVE-2015-5787 264 Bypass 2015-11-21 2015-11-23
4.3
None Remote Medium Not required None Partial None
The kernel in Apple iOS before 8.4.1 does not properly restrict debugging features, which allows attackers to bypass background-execution limitations via a crafted app.
42 CVE-2015-5782 200 +Info 2015-08-16 2015-08-19
4.3
None Remote Medium Not required Partial None None
ImageIO in Apple iOS before 8.4.1 and OS X before 10.10.5 does not properly initialize an unspecified data structure, which allows remote attackers to obtain sensitive information from process memory via a crafted TIFF image.
43 CVE-2015-5781 200 +Info 2015-08-16 2015-08-19
4.3
None Remote Medium Not required Partial None None
ImageIO in Apple iOS before 8.4.1 and OS X before 10.10.5 does not properly initialize an unspecified data structure, which allows remote attackers to obtain sensitive information from process memory via a crafted PNG image.
44 CVE-2015-5768 200 +Info 2015-08-16 2015-08-19
4.3
None Remote Medium Not required Partial None None
AppleGraphicsControl in Apple OS X before 10.10.5 allows attackers to obtain sensitive kernel memory-layout information via a crafted app.
45 CVE-2015-5767 20 2015-09-18 2015-10-21
4.3
None Remote Medium Not required None Partial None
The user interface in Safari in Apple iOS before 9 allows remote attackers to spoof URLs via unspecified vectors, a different vulnerability than CVE-2015-5764 and CVE-2015-5765.
46 CVE-2015-5765 20 2015-09-18 2015-10-21
4.3
None Remote Medium Not required None Partial None
The user interface in Safari in Apple iOS before 9 allows remote attackers to spoof URLs via unspecified vectors, a different vulnerability than CVE-2015-5764 and CVE-2015-5767.
47 CVE-2015-5764 20 2015-09-18 2015-10-21
4.3
None Remote Medium Not required None Partial None
The user interface in Safari in Apple iOS before 9 allows remote attackers to spoof URLs via unspecified vectors, a different vulnerability than CVE-2015-5765 and CVE-2015-5767.
48 CVE-2015-5749 200 Bypass +Info 2015-08-16 2015-08-19
4.3
None Remote Medium Not required Partial None None
The Sandbox_profiles component in Apple iOS before 8.4.1 allows attackers to bypass the third-party app-sandbox protection mechanism and read arbitrary managed preferences via a crafted app.
49 CVE-2015-5747 399 DoS 2015-08-16 2015-08-19
4.9
None Local Low Not required None None Complete
The fasttrap driver in the kernel in Apple OS X before 10.10.5 allows local users to cause a denial of service (resource consumption) via unspecified vectors.
50 CVE-2015-4000 310 2015-05-20 2016-01-21
4.3
None Remote Medium Not required None Partial None
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
Total number of vulnerabilities : 465   Page : 1 (This Page)2 3 4 5 6 7 8 9 10
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.