CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Apple » Iphone Os : Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2016-4593 200 +Info 2016-07-21 2016-07-26
2.1
None Local Low Not required Partial None None
The Siri Contacts component in Apple iOS before 9.3.3 allows physically proximate attackers to read arbitrary Contact card information via unspecified vectors.
2 CVE-2016-1852 200 +Info 2016-05-20 2016-05-23
2.1
None Local Low Not required Partial None None
Siri in Apple iOS before 9.3.2 does not block data detectors within results in the lock-screen state, which allows physically proximate attackers to obtain sensitive contact and photo information via unspecified vectors.
3 CVE-2016-1849 200 +Info 2016-05-20 2016-05-23
2.1
None Local Low Not required Partial None None
The "Clear History and Website Data" feature in Apple Safari before 9.1.1, as used in iOS before 9.3.2 and other products, mishandles the deletion of browsing history, which might allow local users to obtain sensitive information by leveraging read access to a Safari directory.
4 CVE-2016-1807 362 +Info 2016-05-20 2016-06-23
2.6
None Remote High Not required Partial None None
Race condition in the Disk Images subsystem in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows local users to obtain sensitive information from kernel memory via unspecified vectors.
5 CVE-2016-1788 310 2016-03-23 2016-03-24
2.6
None Remote High Not required Partial None None
Messages in Apple iOS before 9.3, OS X before 10.11.4, and watchOS before 2.2 does not properly implement a cryptographic protection mechanism, which allows remote attackers to read message attachments via vectors related to duplicate messages.
6 CVE-2016-1760 284 Bypass 2016-03-29 2016-03-29
2.1
None Local Low Not required None Partial None
The XPC Services API in LaunchServices in Apple iOS before 9.3 allows attackers to bypass intended event-handler restrictions and modify an arbitrary app's events via a crafted app.
7 CVE-2015-8035 399 DoS 2015-11-18 2016-06-14
2.6
None Remote High Not required None None Partial
The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.
8 CVE-2015-7094 20 Bypass 2015-12-11 2015-12-14
2.6
None Remote High Not required None Partial None
CFNetwork HTTPProtocol in Apple iOS before 9.2 and OS X before 10.11.2 allows man-in-the-middle attackers to bypass the HSTS protection mechanism via a crafted URL.
9 CVE-2015-7080 200 Bypass +Info 2015-12-11 2015-12-11
2.1
None Local Low Not required Partial None None
Siri in Apple iOS before 9.2 allows physically proximate attackers to bypass an intended client-side protection mechanism and obtain sensitive content-notification information by listening to a device in the lock-screen state.
10 CVE-2015-7046 200 Bypass +Info 2015-12-11 2015-12-11
2.6
None Remote High Not required Partial None None
The Sandbox feature in xnu in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 does not properly implement privilege separation, which allows attackers to bypass the ASLR protection mechanism via a crafted app with root privileges.
11 CVE-2015-7000 200 +Info 2015-10-23 2015-10-23
2.1
None Local Low Not required Partial None None
Notification Center in Apple iOS before 9.1 mishandles changes to "Show on Lock Screen" settings, which allows physically proximate attackers to obtain sensitive information by looking for a (1) Phone or (2) Messages notification on the lock screen soon after a setting was disabled.
12 CVE-2015-5923 200 +Info 2015-10-09 2015-10-09
2.1
None Local Low Not required Partial None None
Apple iOS before 9.0.2 does not properly restrict the options available on the lock screen, which allows physically proximate attackers to read contact data or view photos via unspecified vectors.
13 CVE-2015-5907 310 2015-09-18 2015-09-18
2.6
None Remote High Not required None Partial None
WebKit in Apple iOS before 9 allows man-in-the-middle attackers to conduct redirection attacks by leveraging the mishandling of the resource cache of an SSL web site with an invalid X.509 certificate.
14 CVE-2015-5898 200 +Info 2015-09-18 2015-10-09
2.1
None Local Low Not required Partial None None
CFNetwork in Apple iOS before 9 relies on the hardware UID for its cache encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.
15 CVE-2015-5892 200 Bypass +Info 2015-09-18 2015-09-18
2.1
None Local Low Not required Partial None None
Siri in Apple iOS before 9 allows physically proximate attackers to bypass an intended client-side protection mechanism and obtain sensitive content-notification information by listening to a device in the lock-screen state.
16 CVE-2015-5863 200 +Info 2015-09-18 2015-10-13
2.1
None Local Low Not required Partial None None
IOStorageFamily in Apple iOS before 9 does not properly initialize an unspecified data structure, which allows local users to obtain sensitive information from kernel memory via unknown vectors.
17 CVE-2015-5861 284 Bypass 2015-09-18 2015-09-18
2.1
None Local Low Not required None Partial None
SpringBoard in Apple iOS before 9 allows physically proximate attackers to bypass a lock-screen preview-disabled setting, and reply to an audio message, via unspecified vectors.
18 CVE-2015-5851 200 +Info 2015-09-18 2015-10-09
2.1
None Local Low Not required Partial None None
The convenience initializer in the Multipeer Connectivity component in Apple iOS before 9 does not require an encrypted session, which allows local users to obtain cleartext multipeer data via an encrypted-to-unencrypted downgrade attack.
19 CVE-2015-5850 254 2015-09-18 2015-09-18
2.1
None Local Low Not required None Partial None
AppleKeyStore in Apple iOS before 9 allows physically proximate attackers to reset the count of incorrect passcode attempts via a device backup.
20 CVE-2015-5842 200 +Info 2015-09-18 2015-10-09
2.1
None Local Low Not required Partial None None
XNU in the kernel in Apple iOS before 9 does not properly initialize an unspecified data structure, which allows local users to obtain sensitive memory-layout information via unknown vectors.
21 CVE-2015-5832 200 +Info 2015-09-18 2015-09-18
2.1
None Local Low Not required Partial None None
The iTunes Store component in Apple iOS before 9 does not properly delete AppleID credentials from the keychain upon a signout action, which might allow physically proximate attackers to obtain sensitive information via unspecified vectors.
22 CVE-2015-5748 17 DoS 2015-08-16 2015-10-21
2.1
None Local Low Not required None None Partial
The kernel in Apple OS X before 10.10.5 does not properly mount HFS volumes, which allows local users to cause a denial of service via a crafted volume.
23 CVE-2015-3756 254 2015-08-16 2015-08-18
2.1
None Local Low Not required None Partial None
The Certificate UI in Apple iOS before 8.4.1 does not prevent X.509 certificate acceptance within the lock screen, which allows physically proximate attackers to establish arbitrary certificate trust relationships by completing a dialog.
24 CVE-2015-1116 200 +Info 2015-04-10 2015-09-11
2.1
None Local Low Not required Partial None None
The UIKit View component in Apple iOS before 8.3 displays unblurred application snapshots in the Task Switcher, which makes it easier for physically proximate attackers to obtain sensitive information by reading the device screen.
25 CVE-2015-1109 200 +Info 2015-04-10 2015-09-30
2.1
None Local Low Not required Partial None None
NetworkExtension in Apple iOS before 8.3 stores credentials in VPN configuration logs, which makes it easier for physically proximate attackers to obtain sensitive information by reading a log file.
26 CVE-2015-1108 200 +Info 2015-04-10 2015-09-30
2.1
None Local Low Not required Partial None None
The Lock Screen component in Apple iOS before 8.3 does not properly enforce the limit on incorrect passcode-authentication attempts, which makes it easier for physically proximate attackers to obtain access by making many passcode guesses.
27 CVE-2015-1106 200 +Info 2015-04-10 2015-09-30
2.1
None Local Low Not required Partial None None
The QuickType feature in the Keyboards subsystem in Apple iOS before 8.3 allows physically proximate attackers to discover passcodes by reading the lock screen during use of a Bluetooth keyboard.
28 CVE-2015-1087 22 Dir. Trav. 2015-04-10 2015-09-30
2.1
None Local Low Not required Partial None None
Directory traversal vulnerability in Backup in Apple iOS before 8.3 allows attackers to read arbitrary files via a crafted relative path.
29 CVE-2014-4463 264 Bypass 2014-11-18 2014-12-30
2.1
None Local Low Not required Partial None None
Apple iOS before 8.1.1 allows physically proximate attackers to bypass the lock-screen protection mechanism, and view or transmit a Photo Library photo, via the FaceTime "Leave a Message" feature.
30 CVE-2014-4460 200 +Info 2014-11-18 2015-02-09
2.1
None Local Low Not required Partial None None
CFNetwork in Apple iOS before 8.1.1 and OS X before 10.10.1 does not properly clear the browsing cache upon a transition out of private-browsing mode, which makes it easier for physically proximate attackers to obtain sensitive information by reading cache files.
31 CVE-2014-4455 264 Bypass 2014-11-18 2015-02-09
2.1
None Local Low Not required None Partial None
dyld in Apple iOS before 8.1.1 and Apple TV before 7.0.2 does not properly handle overlapping segments in Mach-O executable files, which allows local users to bypass intended code-signing restrictions via a crafted file.
32 CVE-2014-4367 264 2014-09-18 2014-09-18
2.1
None Local Low Not required None Partial None
Apple iOS before 8 enables Voice Dial during all upgrade actions, which makes it easier for physically proximate attackers to launch unintended calls by speaking a telephone number.
33 CVE-2014-4364 310 2014-09-18 2015-12-23
2.9
None Local Network Medium Not required Partial None None
The 802.1X subsystem in Apple iOS before 8 and Apple TV before 7 does not require strong authentication methods, which allows remote attackers to calculate credentials by offering LEAP authentication from a crafted Wi-Fi AP and then performing a cryptographic attack against the MS-CHAPv1 hash.
34 CVE-2014-4357 200 +Info 2014-09-18 2014-09-18
2.1
None Local Low Not required Partial None None
Accounts Framework in Apple iOS before 8 and Apple TV before 7 allows attackers to obtain sensitive information by reading log data that was not intended to be present in a log.
35 CVE-2014-4356 200 +Info 2014-09-18 2014-09-18
2.1
None Local Low Not required Partial None None
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.
36 CVE-2014-4352 310 +Info 2014-09-18 2014-09-18
2.1
None Local Low Not required Partial None None
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.
37 CVE-2014-1360 20 Bypass 2014-07-01 2015-11-25
2.1
None Local Low Not required None Partial None
Lockdown in Apple iOS before 7.1.2 does not properly verify data from activation servers, which makes it easier for physically proximate attackers to bypass the Activation Lock protection mechanism via unspecified vectors.
38 CVE-2014-1348 310 +Info 2014-07-01 2015-11-25
2.1
None Local Low Not required Partial None None
Mail in Apple iOS before 7.1.2 advertises the availability of data protection for attachments but stores cleartext attachments under mobile/Library/Mail/, which makes it easier for physically proximate attackers to obtain sensitive information by mounting the data partition.
39 CVE-2014-1274 200 +Info 2014-03-14 2014-03-14
2.1
None Local Low Not required Partial None None
FaceTime in Apple iOS before 7.1 allows physically proximate attackers to obtain sensitive FaceTime contact information by using the lock screen for an invalid FaceTime call.
40 CVE-2013-5162 264 Bypass 2013-10-23 2013-10-24
2.1
None Local Low Not required Partial None None
Passcode Lock in Apple iOS before 7.0.3 on iPhone devices allows physically proximate attackers to bypass the passcode-failure disabled state by leveraging certain incorrect visibility of the passcode-entry view after use of the Phone app.
41 CVE-2013-5158 264 +Info 2013-09-19 2013-10-22
2.1
None Local Low Not required Partial None None
The Social subsystem in Apple iOS before 7 does not properly restrict access to the cache of Twitter icons, which allows physically proximate attackers to obtain sensitive information about recent Twitter interaction via unspecified vectors.
42 CVE-2013-5153 264 2013-09-19 2013-10-22
2.1
None Local Low Not required Partial None None
Springboard in Apple iOS before 7 does not properly manage the lock state in Lost Mode, which allows physically proximate attackers to read notifications via unspecified vectors.
43 CVE-2013-5137 264 2013-09-19 2013-10-22
2.6
None Remote High Not required None None Partial
IOKit in Apple iOS before 7 allows attackers to send user-interface events to the foreground app by leveraging control over a background app and using the (1) task-completion API or (2) VoIP API.
44 CVE-2013-0980 264 Bypass 2013-03-20 2013-03-21
2.1
None Local Low Not required None Partial None
The Passcode Lock implementation in Apple iOS before 6.1.3 does not properly manage the lock state, which allows physically proximate attackers to bypass an intended passcode requirement by leveraging an error in the emergency-call feature.
45 CVE-2013-0978 200 Bypass +Info 2013-03-20 2013-03-21
2.1
None Local Low Not required Partial None None
The ARM prefetch abort handler in the kernel in Apple iOS before 6.1.3 and Apple TV before 5.2.1 does not ensure that it has been invoked in an abort context, which makes it easier for local users to bypass the ASLR protection mechanism via crafted code.
46 CVE-2013-0963 20 Bypass 2013-01-29 2013-03-15
2.1
None Local Low Not required None Partial None
Identity Services in Apple iOS before 6.1 does not properly handle validation failures of AppleID certificates, which might allow physically proximate attackers to bypass authentication by leveraging an incorrect assignment of an empty string value to an AppleID.
47 CVE-2013-0962 79 XSS 2013-01-29 2013-03-15
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in WebKit in Apple iOS before 6.1 allows user-assisted remote attackers to inject arbitrary web script or HTML via crafted content that is not properly handled during a copy-and-paste operation.
48 CVE-2012-3740 264 Bypass 2012-09-20 2012-09-21
2.1
None Local Low Not required None Partial None
The Passcode Lock implementation in Apple iOS before 6 does not properly manage the lock state, which allows physically proximate attackers to bypass an intended passcode requirement via unspecified vectors.
49 CVE-2012-3739 264 Bypass 2012-09-20 2012-09-21
2.1
None Local Low Not required None Partial None
The Passcode Lock implementation in Apple iOS before 6 allows physically proximate attackers to bypass an intended passcode requirement via vectors involving use of the camera.
50 CVE-2012-3737 264 2012-09-20 2013-03-25
2.1
None Local Low Not required Partial None None
The Passcode Lock implementation in Apple iOS before 6 does not properly restrict photo viewing, which allows physically proximate attackers to view arbitrary stored photos by spoofing a time value.
Total number of vulnerabilities : 63   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.