CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Apple » Iphone Os : Security Vulnerabilities (CVSS score between 4 and 4.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2016-4747 200 +Info 2016-09-18 2016-09-19
4.3
None Remote Medium Not required Partial None None
Mail in Apple iOS before 10 mishandles certificates, which makes it easier for man-in-the-middle attackers to discover mail credentials via unspecified vectors.
2 CVE-2016-4741 254 2016-09-18 2016-09-19
4.3
None Remote Medium Not required None None Partial
The Assets component in Apple iOS before 10 allows man-in-the-middle attackers to block software updates via vectors related to lack of an HTTPS session for retrieving updates.
3 CVE-2016-4722 20 +Info 2016-09-25 2016-09-26
4.3
None Remote Medium Not required Partial None None
The IDS - Connectivity component in Apple iOS before 10 and OS X before 10.12 allows man-in-the-middle attackers to conduct Call Relay spoofing attacks and obtain sensitive information via unspecified vectors.
4 CVE-2016-4719 200 +Info 2016-09-18 2016-09-19
4.3
None Remote Medium Not required Partial None None
The GeoServices component in Apple iOS before 10 and watchOS before 3 does not properly restrict access to PlaceData information, which allows attackers to discover physical locations via a crafted application.
5 CVE-2016-4718 119 Overflow +Info 2016-09-25 2016-09-26
4.3
None Remote Medium Not required Partial None None
Buffer overflow in FontParser in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to obtain sensitive information from process memory via a crafted font file.
6 CVE-2016-4708 200 +Info 2016-09-25 2016-09-26
4.3
None Remote Medium Not required Partial None None
CFNetwork in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 misparses the Set-Cookie header, which allows remote attackers to obtain sensitive information via a crafted HTTP response.
7 CVE-2016-4651 79 XSS 2016-07-21 2016-07-26
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the WebKit JavaScript bindings in Apple iOS before 9.3.3 and Safari before 9.1.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTTP/0.9 response, related to a "cross-protocol cross-site scripting (XPXSS)" vulnerability.
8 CVE-2016-4628 125 DoS +Info 2016-07-21 2016-07-27
4.9
None Local Low Not required Complete None None
IOAcceleratorFamily in Apple iOS before 9.3.3 and watchOS before 2.2.2 allows local users to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) via unspecified vectors.
9 CVE-2016-4620 200 +Info 2016-09-18 2016-09-19
4.3
None Remote Medium Not required Partial None None
The Sandbox Profiles component in Apple iOS before 10 does not properly restrict access to directory metadata for SMS draft directories, which allows attackers to discover text-message recipients via a crafted app.
10 CVE-2016-4618 79 XSS 2016-09-25 2016-09-26
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Safari Reader in Apple iOS before 10 and Safari before 10 allows remote attackers to inject arbitrary web script or HTML via a crafted web site, aka "Universal XSS (UXSS)."
11 CVE-2016-4603 254 Bypass +Info 2016-07-21 2016-07-27
4.3
None Remote Medium Not required Partial None None
Web Media in Apple iOS before 9.3.3 allows attackers to bypass the Private Browsing protection mechanism and obtain sensitive video URL information by leveraging Safari View Controller misbehavior.
12 CVE-2016-4594 20 2016-07-21 2016-07-26
4.6
None Local Low Not required Partial Partial Partial
The Sandbox Profiles component in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows attackers to access the process list via a crafted app that makes an API call.
13 CVE-2016-1865 476 DoS 2016-07-21 2016-07-26
4.9
None Local Low Not required None None Complete
The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows local users to cause a denial of service (NULL pointer dereference) via unspecified vectors.
14 CVE-2016-1858 200 +Info 2016-05-20 2016-06-15
4.3
None Remote Medium Not required Partial None None
WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, improperly tracks taint attributes, which allows remote attackers to obtain sensitive information via a crafted web site.
15 CVE-2016-1832 119 DoS Overflow +Priv Mem. Corr. 2016-05-20 2016-05-24
4.6
None Local Low Not required Partial Partial Partial
libc in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors.
16 CVE-2016-1814 DoS 2016-05-20 2016-05-20
4.3
None Remote Medium Not required None None Partial
IOAcceleratorFamily in Apple iOS before 9.3.2, OS X before 10.11.5, and tvOS before 9.2.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted app.
17 CVE-2016-1802 200 +Info 2016-05-20 2016-05-20
4.3
None Remote Medium Not required Partial None None
CCCrypt in CommonCrypto in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 mishandles return values during key-length calculations, which allows attackers to obtain sensitive information via a crafted app.
18 CVE-2016-1790 119 Overflow +Info 2016-05-20 2016-05-20
4.3
None Remote Medium Not required Partial None None
Buffer overflow in the Accessibility component in Apple iOS before 9.3.2 allows attackers to obtain sensitive kernel memory-layout information via a crafted app.
19 CVE-2016-1785 200 Bypass +Info 2016-03-23 2016-03-25
4.3
None Remote Medium Not required Partial None None
The Page Loading implementation in WebKit in Apple iOS before 9.3 and Safari before 9.1 mishandles character encoding during access to cached data, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site.
20 CVE-2016-1784 399 DoS 2016-03-23 2016-03-28
4.3
None Remote Medium Not required None None Partial
The History implementation in WebKit in Apple iOS before 9.3, Safari before 9.1, and tvOS before 9.2 allows remote attackers to cause a denial of service (resource consumption and application crash) via a crafted web site.
21 CVE-2016-1782 284 Bypass 2016-03-23 2016-03-25
4.3
None Remote Medium Not required None Partial None
WebKit in Apple iOS before 9.3 and Safari before 9.1 does not properly restrict redirects that specify a TCP port number, which allows remote attackers to bypass intended port restrictions via a crafted web site.
22 CVE-2016-1781 19 2016-03-23 2016-03-25
4.3
None Remote Medium Not required Partial None None
WebKit in Apple iOS before 9.3 and Safari before 9.1 mishandles attachment URLs, which makes it easier for remote web servers to track users via unspecified vectors.
23 CVE-2016-1780 200 +Info 2016-03-23 2016-03-25
4.3
None Remote Medium Not required Partial None None
WebKit in Apple iOS before 9.3 does not prevent hidden web views from reading orientation and motion data, which allows remote attackers to obtain sensitive information about a device's physical environment via a crafted web site.
24 CVE-2016-1779 200 Bypass +Info 2016-03-23 2016-03-25
4.3
None Remote Medium Not required Partial None None
WebKit in Apple iOS before 9.3 and Safari before 9.1 allows remote attackers to bypass the Same Origin Policy and obtain physical-location data via a crafted geolocation request.
25 CVE-2016-1758 119 DoS Overflow +Info 2016-03-23 2016-03-25
4.3
None Remote Medium Not required Partial None None
The kernel in Apple iOS before 9.3 and OS X before 10.11.4 allows attackers to obtain sensitive memory-layout information or cause a denial of service (out-of-bounds read) via a crafted app.
26 CVE-2016-1748 200 +Info 2016-03-23 2016-03-25
4.3
None Remote Medium Not required Partial None None
IOHIDFamily in Apple iOS before 9.3, OS X before 10.11.4, tvOS before 9.2, and watchOS before 2.2 allows attackers to obtain sensitive kernel memory-layout information via a crafted app.
27 CVE-2016-1728 200 +Info 2016-02-01 2016-02-16
4.3
None Remote Medium Not required Partial None None
The Cascading Style Sheets (CSS) implementation in Apple iOS before 9.2.1 and Safari before 9.0.3 mishandles the "a:visited button" selector during height processing, which makes it easier for remote attackers to obtain sensitive browser-history information via a crafted web site.
28 CVE-2015-7116 119 DoS Overflow Mem. Corr. +Info 2016-01-09 2016-01-11
4.3
None Remote Medium Not required Partial None None
libxml2 in Apple iOS before 9.2, OS X before 10.11.2, and tvOS before 9.1 allows remote attackers to obtain sensitive information or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2015-7115.
29 CVE-2015-7115 119 DoS Overflow Mem. Corr. +Info 2016-01-09 2016-01-11
4.3
None Remote Medium Not required Partial None None
libxml2 in Apple iOS before 9.2, OS X before 10.11.2, and tvOS before 9.1 allows remote attackers to obtain sensitive information or cause a denial of service (memory corruption) via a crafted XML document, a different vulnerability than CVE-2015-7116.
30 CVE-2015-7062 264 Bypass 2015-12-11 2015-12-11
4.6
None Local Low Not required Partial Partial Partial
Apple OS X before 10.11.2 and tvOS before 9.1 allow local users to bypass intended configuration-profile installation restrictions via unspecified vectors.
31 CVE-2015-7058 200 +Info 2015-12-11 2015-12-11
4.3
None Remote Medium Not required Partial None None
Apple iOS before 9.2, OS X before 10.11.2, and tvOS before 9.1 improperly validate keychain item ACLs, which allows attackers to obtain access to keychain items via a crafted app.
32 CVE-2015-7050 200 +Info 2015-12-11 2015-12-11
4.3
None Remote Medium Not required Partial None None
WebKit in Apple iOS before 9.2 and Safari before 9.0.2 misparses content extensions, which allows remote attackers to obtain sensitive browsing-history information via a crafted web site.
33 CVE-2015-7043 DoS 2015-12-11 2015-12-11
4.3
None Remote Medium Not required None None Partial
The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 allows attackers to cause a denial of service via a crafted app, a different vulnerability than CVE-2015-7040, CVE-2015-7041, and CVE-2015-7042.
34 CVE-2015-7042 DoS 2015-12-11 2015-12-11
4.3
None Remote Medium Not required None None Partial
The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 allows attackers to cause a denial of service via a crafted app, a different vulnerability than CVE-2015-7040, CVE-2015-7041, and CVE-2015-7043.
35 CVE-2015-7041 DoS 2015-12-11 2015-12-11
4.3
None Remote Medium Not required None None Partial
The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 allows attackers to cause a denial of service via a crafted app, a different vulnerability than CVE-2015-7040, CVE-2015-7042, and CVE-2015-7043.
36 CVE-2015-7040 DoS 2015-12-11 2015-12-11
4.3
None Remote Medium Not required None None Partial
The kernel in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 allows attackers to cause a denial of service via a crafted app, a different vulnerability than CVE-2015-7041, CVE-2015-7042, and CVE-2015-7043.
37 CVE-2015-7022 200 +Info 2015-10-23 2015-10-23
4.3
None Remote Medium Not required Partial None None
The Telephony subsystem in Apple iOS before 9.1 allows attackers to obtain sensitive call-status information via a crafted app.
38 CVE-2015-6997 254 2015-10-23 2016-04-11
4.3
None Remote Medium Not required None Partial None
The X.509 certificate-trust implementation in Apple iOS before 9.1 does not recognize that the kSecRevocationRequirePositiveResponse flag implies a revocation-checking requirement, which makes it easier for man-in-the-middle attackers to spoof endpoints by leveraging access to a revoked certificate.
39 CVE-2015-5921 200 +Info 2015-09-18 2015-09-18
4.3
None Remote Medium Not required Partial None None
WebKit in Apple iOS before 9 mishandles "Content-Disposition: attachment" HTTP headers, which might allow man-in-the-middle attackers to obtain sensitive information via unspecified vectors.
40 CVE-2015-5916 200 +Info 2015-09-18 2015-10-28
4.3
None Remote Medium Not required Partial None None
The Apple Pay component in Apple iOS before 9 allows remote terminals to obtain sensitive recent-transaction information during payments by leveraging the transaction-log feature.
41 CVE-2015-5904 254 2015-09-18 2015-09-18
4.3
None Remote Medium Not required None Partial None
Safari in Apple iOS before 9 allows remote attackers to spoof the relationship between URLs and web content via a crafted web site.
42 CVE-2015-5880 200 Bypass +Info 2015-09-18 2015-09-18
4.3
None Remote Medium Not required Partial None None
CoreAnimation in Apple iOS before 9 allows attackers to bypass intended IOSurface restrictions and obtain screen-framebuffer access via a crafted background app.
43 CVE-2015-5862 119 DoS Overflow Mem. Corr. 2015-09-18 2015-10-13
4.3
None Remote Medium Not required None None Partial
The Audio component in Apple iOS before 9 allows remote attackers to cause a denial of service (memory corruption and application crash) via a crafted audio file.
44 CVE-2015-5859 200 +Info 2015-11-21 2015-11-30
4.3
None Remote Medium Not required Partial None None
The CFNetwork HTTPProtocol component in Apple iOS before 9 and OS X before 10.11 does not properly recognize the HSTS preload list during a Safari private-browsing session, which makes it easier for remote attackers to obtain sensitive information by sniffing the network.
45 CVE-2015-5856 254 DoS 2015-09-18 2015-09-18
4.3
None Remote Medium Not required None None Partial
The Application Store component in Apple iOS before 9 allows remote attackers to cause a denial of service to an enterprise-signed app via a crafted ITMS URL.
46 CVE-2015-5855 200 +Info 2015-09-18 2015-10-13
4.3
None Remote Medium Not required Partial None None
Apple iOS before 9 allows attackers to discover the e-mail address of a player via a crafted Game Center app.
47 CVE-2015-5838 284 2015-09-18 2015-09-18
4.3
None Remote Medium Not required None Partial None
SpringBoard in Apple iOS before 9 does not properly restrict access to privileged API calls, which allows attackers to spoof the dialog windows of an arbitrary app via a crafted app.
48 CVE-2015-5837 20 Bypass 2015-09-18 2015-10-09
4.3
None Remote Medium Not required None Partial None
PluginKit in Apple iOS before 9 allows attackers to bypass an intended app-trust requirement and install arbitrary extensions via a crafted enterprise app.
49 CVE-2015-5835 200 +Info 2015-09-18 2015-09-18
4.3
None Remote Medium Not required Partial None None
Apple iOS before 9 allows attackers to obtain sensitive information about inter-app communication via a crafted app that conducts an interception attack involving an unspecified URL scheme.
50 CVE-2015-5834 200 +Info 2015-09-18 2015-10-09
4.3
None Remote Medium Not required Partial None None
IOAcceleratorFamily in Apple iOS before 9 allows attackers to obtain sensitive kernel memory-layout information via a crafted app.
Total number of vulnerabilities : 155   Page : 1 (This Page)2 3 4
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.