The issue was addressed with improved authentication. This issue is fixed in iOS 17.3 and iPadOS 17.3. Stolen Device Protection may be unexpectedly disabled.
Max CVSS
6.2
EPSS Score
0.05%
Published
2024-01-23
Updated
2024-01-30
Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.
Max CVSS
6.3
EPSS Score
0.09%
Published
2023-12-08
Updated
2024-01-05
The issue was addressed with improved authentication. This issue is fixed in macOS Ventura 13.3, iOS 16.4 and iPadOS 16.4, iOS 15.7.4 and iPadOS 15.7.4, macOS Monterey 12.6.4, macOS Big Sur 11.7.5. A user in a privileged network position may be able to spoof a VPN server that is configured with EAP-only authentication on a device.
Max CVSS
6.5
EPSS Score
0.08%
Published
2023-05-08
Updated
2023-07-27
The issue was addressed with improved authentication. This issue is fixed in iOS 15 and iPadOS 15. A malicious application may be able to access photo metadata without needing permission to access photos.
Max CVSS
5.5
EPSS Score
0.06%
Published
2021-08-24
Updated
2023-01-09
A logic issue was addressed with improved validation. This issue is fixed in iOS 14.7, tvOS 14.7, watchOS 7.6. An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations.
Max CVSS
5.5
EPSS Score
0.05%
Published
2021-09-08
Updated
2021-09-15
A logic issue was addressed with improved state management. This issue is fixed in iOS 14.7, tvOS 14.7, watchOS 7.6. A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication.
Max CVSS
5.5
EPSS Score
0.06%
Published
2021-09-08
Updated
2021-09-15
A logic issue was addressed with improved restrictions. This issue is fixed in tvOS 14.6, iOS 14.6 and iPadOS 14.6, Safari 14.1.1, macOS Big Sur 11.4, watchOS 7.5. A malicious website may be able to access restricted ports on arbitrary servers.
Max CVSS
5.8
EPSS Score
0.22%
Published
2021-09-08
Updated
2023-01-09
A logic issue was addressed with improved validation. This issue is fixed in iOS 14.6 and iPadOS 14.6. An attacker in WiFi range may be able to force a client to use a less secure authentication mechanism.
Max CVSS
5.4
EPSS Score
0.05%
Published
2021-09-08
Updated
2021-09-16
An inconsistency in Wi-Fi network configuration settings was addressed. This issue is fixed in iOS 13.2 and iPadOS 13.2. An attacker in physical proximity may be able to force a user onto a malicious Wi-Fi network during device setup.
Max CVSS
5.7
EPSS Score
0.05%
Published
2019-12-18
Updated
2019-12-26
This issue was addressed by improving Face ID machine learning models. This issue is fixed in iOS 13. A 3D model constructed to look like the enrolled user may authenticate via Face ID.
Max CVSS
6.8
EPSS Score
0.07%
Published
2019-12-18
Updated
2020-08-24
An authentication issue was addressed with improved state management. This issue is fixed in tvOS 13. A local user may be able to leak sensitive user information.
Max CVSS
5.5
EPSS Score
0.04%
Published
2019-12-18
Updated
2019-12-20
An issue was discovered in certain Apple products. iOS before 10.2 is affected. watchOS before 3.1.1 is affected. The issue involves the "Accounts" component, which allows local users to bypass intended authorization restrictions by leveraging the mishandling of an app uninstall.
Max CVSS
5.3
EPSS Score
0.04%
Published
2017-02-20
Updated
2018-10-30
WebKit in Apple iOS before 10, iTunes before 12.5.1 on Windows, and Safari before 10 allows remote attackers to conduct DNS rebinding attacks against non-HTTP Safari sessions by leveraging HTTP/0.9 support.
Max CVSS
6.5
EPSS Score
0.52%
Published
2016-09-25
Updated
2017-07-30
MapKit in Apple iOS before 9.3.2, OS X before 10.11.5, and watchOS before 2.2.1 does not use HTTPS for shared links, which allows remote attackers to obtain sensitive information by sniffing the network for HTTP traffic.
Max CVSS
7.5
EPSS Score
0.47%
Published
2016-05-20
Updated
2016-12-01
WebKit in Apple iOS before 9.3 and Safari before 9.1 does not properly restrict redirects that specify a TCP port number, which allows remote attackers to bypass intended port restrictions via a crafted web site.
Max CVSS
6.5
EPSS Score
0.44%
Published
2016-03-24
Updated
2018-10-09
The XPC Services API in LaunchServices in Apple iOS before 9.3 allows attackers to bypass intended event-handler restrictions and modify an arbitrary app's events via a crafted app.
Max CVSS
6.2
EPSS Score
0.09%
Published
2016-03-29
Updated
2016-12-03
AppleMobileFileIntegrity in Apple iOS before 9.2 and tvOS before 9.1 does not prevent changes to access-control structures, which allows attackers to execute arbitrary code in a privileged context via a crafted app.
Max CVSS
9.3
EPSS Score
0.25%
Published
2015-12-11
Updated
2019-03-08
The processor_set_tasks API implementation in Apple iOS before 9 allows local users to bypass an entitlement protection mechanism and obtain access to the task ports of arbitrary processes by leveraging root privileges.
Max CVSS
7.2
EPSS Score
0.04%
Published
2015-09-18
Updated
2016-12-22
SpringBoard in Apple iOS before 9 does not properly restrict access to privileged API calls, which allows attackers to spoof the dialog windows of an arbitrary app via a crafted app.
Max CVSS
4.3
EPSS Score
0.19%
Published
2015-09-18
Updated
2016-12-22
WebKit in Apple iOS before 9 does not properly select the cases in which a Cascading Style Sheets (CSS) document is required to have the text/css content type, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
Max CVSS
4.3
EPSS Score
0.37%
Published
2015-09-18
Updated
2016-12-22
AppleFileConduit in Apple iOS before 8.4.1 allows attackers to bypass intended restrictions on filesystem access via an afc command that leverages symlink mishandling.
Max CVSS
5.0
EPSS Score
0.19%
Published
2015-08-17
Updated
2016-12-24
Apple iOS before 8.4.1 and OS X before 10.10.5 allow local users to bypass a code-signing protection mechanism by appending code to a crafted executable file.
Max CVSS
7.2
EPSS Score
0.04%
Published
2015-08-17
Updated
2016-12-24
The Telephony component in Apple iOS before 8.3 allows attackers to bypass a sandbox protection mechanism and access unintended telephone capabilities via a crafted app.
Max CVSS
4.4
EPSS Score
0.16%
Published
2015-04-10
Updated
2017-01-03
Secure Transport in Apple iOS before 7.1.1, Apple OS X 10.8.x and 10.9.x through 10.9.2, and Apple TV before 6.1.1 does not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotiation, which allows man-in-the-middle attackers to obtain sensitive information or modify TLS session data via a "triple handshake attack."
Max CVSS
6.8
EPSS Score
0.22%
Published
2014-04-23
Updated
2019-03-08
Mail in Apple iPhone 1.1.1, when using SSL, does not warn the user when the mail server changes or is not trusted, which might allow remote attackers to steal credentials and read email via a man-in-the-middle (MITM) attack.
Max CVSS
4.3
EPSS Score
0.45%
Published
2007-09-27
Updated
2022-08-09
25 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!