CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Apple » Iphone Os : Security Vulnerabilities (CVSS score between 3 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
501 CVE-2016-4622 119 DoS Exec Code Overflow Mem. Corr. 2016-07-21 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4589, CVE-2016-4623, and CVE-2016-4624.
502 CVE-2016-4620 200 +Info 2016-09-18 2017-08-12
4.3
None Remote Medium Not required Partial None None
The Sandbox Profiles component in Apple iOS before 10 does not properly restrict access to directory metadata for SMS draft directories, which allows attackers to discover text-message recipients via a crafted app.
503 CVE-2016-4618 79 XSS 2016-09-25 2017-07-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Safari Reader in Apple iOS before 10 and Safari before 10 allows remote attackers to inject arbitrary web script or HTML via a crafted web site, aka "Universal XSS (UXSS)."
504 CVE-2016-4611 119 DoS Exec Code Overflow Mem. Corr. 2016-09-25 2017-07-29
6.8
None Remote Medium Not required Partial Partial Partial
WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4730, CVE-2016-4733, CVE-2016-4734, and CVE-2016-4735.
505 CVE-2016-4603 254 Bypass +Info 2016-07-21 2017-08-31
4.3
None Remote Medium Not required Partial None None
Web Media in Apple iOS before 9.3.3 allows attackers to bypass the Private Browsing protection mechanism and obtain sensitive video URL information by leveraging Safari View Controller misbehavior.
506 CVE-2016-4594 20 2016-07-21 2017-08-31
4.6
None Local Low Not required Partial Partial Partial
The Sandbox Profiles component in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows attackers to access the process list via a crafted app that makes an API call.
507 CVE-2016-4447 119 DoS Overflow 2016-06-09 2018-01-04
5.0
None Remote Low Not required None None Partial
The xmlParseElementDecl function in parser.c in libxml2 before 2.9.4 allows context-dependent attackers to cause a denial of service (heap-based buffer underread and application crash) via a crafted file, involving xmlParseName.
508 CVE-2016-1950 119 Exec Code Overflow 2016-03-13 2018-10-30
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in Mozilla Network Security Services (NSS) before 3.19.2.3 and 3.20.x and 3.21.x before 3.21.1, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to execute arbitrary code via crafted ASN.1 data in an X.509 certificate.
509 CVE-2016-1865 476 DoS 2016-07-21 2017-08-31
4.9
None Local Low Not required None None Complete
The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows local users to cause a denial of service (NULL pointer dereference) via unspecified vectors.
510 CVE-2016-1864 200 XSS +Info 2016-06-19 2017-08-31
5.0
None Remote Low Not required Partial None None
The XSS auditor in WebKit, as used in Apple iOS before 9.3 and Safari before 9.1, does not properly handle redirects in block mode, which allows remote attackers to obtain sensitive information via a crafted URL.
511 CVE-2016-1859 119 DoS Exec Code Overflow Mem. Corr. 2016-05-20 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
The WebKit Canvas implementation in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
512 CVE-2016-1858 200 +Info 2016-05-20 2018-10-09
4.3
None Remote Medium Not required Partial None None
WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, improperly tracks taint attributes, which allows remote attackers to obtain sensitive information via a crafted web site.
513 CVE-2016-1857 119 DoS Exec Code Overflow Mem. Corr. 2016-05-20 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1854, CVE-2016-1855, and CVE-2016-1856.
514 CVE-2016-1856 119 DoS Exec Code Overflow Mem. Corr. 2016-05-20 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1854, CVE-2016-1855, and CVE-2016-1857.
515 CVE-2016-1855 119 DoS Exec Code Overflow Mem. Corr. 2016-05-20 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1854, CVE-2016-1856, and CVE-2016-1857.
516 CVE-2016-1854 119 DoS Exec Code Overflow Mem. Corr. 2016-05-20 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1855, CVE-2016-1856, and CVE-2016-1857.
517 CVE-2016-1847 119 DoS Exec Code Overflow Mem. Corr. 2016-05-20 2017-11-29
6.8
None Remote Medium Not required Partial Partial Partial
OpenGL, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
518 CVE-2016-1842 284 +Info 2016-05-20 2016-12-01
5.0
None Remote Low Not required Partial None None
MapKit in Apple iOS before 9.3.2, OS X before 10.11.5, and watchOS before 2.2.1 does not use HTTPS for shared links, which allows remote attackers to obtain sensitive information by sniffing the network for HTTP traffic.
519 CVE-2016-1841 119 DoS Exec Code Overflow Mem. Corr. 2016-05-20 2019-06-18
6.8
None Remote Medium Not required Partial Partial Partial
libxslt, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
520 CVE-2016-1840 119 DoS Exec Code Overflow Mem. Corr. 2016-05-20 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in the xmlFAParsePosCharGroup function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.
521 CVE-2016-1839 119 DoS Overflow 2016-05-20 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
The xmlDictAddString function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
522 CVE-2016-1838 119 DoS Overflow 2016-05-20 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
The xmlPArserPrintFileContextInternal function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
523 CVE-2016-1837 119 DoS Overflow 2016-05-20 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
Multiple use-after-free vulnerabilities in the (1) htmlPArsePubidLiteral and (2) htmlParseSystemiteral functions in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allow remote attackers to cause a denial of service via a crafted XML document.
524 CVE-2016-1836 119 DoS Overflow 2016-05-20 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
Use-after-free vulnerability in the xmlDictComputeFastKey function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service via a crafted XML document.
525 CVE-2016-1835 119 DoS Overflow 2016-05-20 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
Use-after-free vulnerability in the xmlSAX2AttributeNs function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2 and OS X before 10.11.5, allows remote attackers to cause a denial of service via a crafted XML document.
526 CVE-2016-1834 119 DoS Exec Code Overflow Mem. Corr. 2016-05-20 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in the xmlStrncat function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.
527 CVE-2016-1833 119 DoS Overflow 2016-05-20 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
The htmlCurrentChar function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
528 CVE-2016-1832 119 DoS Overflow +Priv Mem. Corr. 2016-05-20 2017-11-29
4.6
None Local Low Not required Partial Partial Partial
libc in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors.
529 CVE-2016-1814 DoS 2016-05-20 2016-11-30
4.3
None Remote Medium Not required None None Partial
IOAcceleratorFamily in Apple iOS before 9.3.2, OS X before 10.11.5, and tvOS before 9.2.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted app.
530 CVE-2016-1811 DoS 2016-05-20 2016-11-30
5.0
None Remote Low Not required None None Partial
ImageIO in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted image.
531 CVE-2016-1802 200 +Info 2016-05-20 2016-11-30
4.3
None Remote Medium Not required Partial None None
CCCrypt in CommonCrypto in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 mishandles return values during key-length calculations, which allows attackers to obtain sensitive information via a crafted app.
532 CVE-2016-1801 200 +Info 2016-05-20 2016-11-30
5.0
None Remote Low Not required Partial None None
The CFNetwork Proxies subsystem in Apple iOS before 9.3.2, OS X before 10.11.5, and tvOS before 9.2.1 mishandles URLs in http and https requests, which allows remote attackers to obtain sensitive information via unspecified vectors.
533 CVE-2016-1790 119 Overflow +Info 2016-05-20 2016-11-30
4.3
None Remote Medium Not required Partial None None
Buffer overflow in the Accessibility component in Apple iOS before 9.3.2 allows attackers to obtain sensitive kernel memory-layout information via a crafted app.
534 CVE-2016-1786 200 Bypass +Info 2016-03-23 2018-10-09
5.8
None Remote Medium Not required Partial Partial None
The Page Loading implementation in WebKit in Apple iOS before 9.3 and Safari before 9.1 mishandles HTTP responses with a 3xx (aka redirection) status code, which allows remote attackers to spoof the displayed URL, bypass the Same Origin Policy, and obtain sensitive cached information via a crafted web site.
535 CVE-2016-1785 200 Bypass +Info 2016-03-23 2018-10-09
4.3
None Remote Medium Not required Partial None None
The Page Loading implementation in WebKit in Apple iOS before 9.3 and Safari before 9.1 mishandles character encoding during access to cached data, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted web site.
536 CVE-2016-1784 399 DoS 2016-03-23 2016-12-02
4.3
None Remote Medium Not required None None Partial
The History implementation in WebKit in Apple iOS before 9.3, Safari before 9.1, and tvOS before 9.2 allows remote attackers to cause a denial of service (resource consumption and application crash) via a crafted web site.
537 CVE-2016-1782 284 Bypass 2016-03-23 2018-10-09
4.3
None Remote Medium Not required None Partial None
WebKit in Apple iOS before 9.3 and Safari before 9.1 does not properly restrict redirects that specify a TCP port number, which allows remote attackers to bypass intended port restrictions via a crafted web site.
538 CVE-2016-1781 19 2016-03-23 2018-10-09
4.3
None Remote Medium Not required Partial None None
WebKit in Apple iOS before 9.3 and Safari before 9.1 mishandles attachment URLs, which makes it easier for remote web servers to track users via unspecified vectors.
539 CVE-2016-1780 200 +Info 2016-03-23 2016-12-02
4.3
None Remote Medium Not required Partial None None
WebKit in Apple iOS before 9.3 does not prevent hidden web views from reading orientation and motion data, which allows remote attackers to obtain sensitive information about a device's physical environment via a crafted web site.
540 CVE-2016-1779 200 Bypass +Info 2016-03-23 2018-10-09
4.3
None Remote Medium Not required Partial None None
WebKit in Apple iOS before 9.3 and Safari before 9.1 allows remote attackers to bypass the Same Origin Policy and obtain physical-location data via a crafted geolocation request.
541 CVE-2016-1766 2016-03-23 2016-12-02
5.0
None Remote Low Not required None Partial None
The Profiles component in Apple iOS before 9.3 does not properly validate certificates, which allows attackers to spoof an MDM profile trust relationship via unspecified vectors.
542 CVE-2016-1763 20 +Info 2016-03-23 2016-12-02
3.5
None Remote Medium Single system Partial None None
Messages in Apple iOS before 9.3 does not ensure that an auto-fill action applies to the intended message thread, which allows remote authenticated users to obtain sensitive information by providing a crafted sms: URL and reading a thread.
543 CVE-2016-1758 119 DoS Overflow +Info 2016-03-23 2016-12-02
4.3
None Remote Medium Not required Partial None None
The kernel in Apple iOS before 9.3 and OS X before 10.11.4 allows attackers to obtain sensitive memory-layout information or cause a denial of service (out-of-bounds read) via a crafted app.
544 CVE-2016-1748 200 +Info 2016-03-23 2016-12-02
4.3
None Remote Medium Not required Partial None None
IOHIDFamily in Apple iOS before 9.3, OS X before 10.11.4, tvOS before 9.2, and watchOS before 2.2 allows attackers to obtain sensitive kernel memory-layout information via a crafted app.
545 CVE-2016-1730 19 2016-02-01 2016-12-05
5.8
None Remote Medium Not required Partial Partial None
WebSheet in Apple iOS before 9.2.1 allows remote attackers to read or write to cookies by operating a crafted captive portal.
546 CVE-2016-1728 200 +Info 2016-02-01 2018-10-09
4.3
None Remote Medium Not required Partial None None
The Cascading Style Sheets (CSS) implementation in Apple iOS before 9.2.1 and Safari before 9.0.3 mishandles the "a:visited button" selector during height processing, which makes it easier for remote attackers to obtain sensitive browser-history information via a crafted web site.
547 CVE-2015-8242 119 DoS Overflow +Info 2015-12-15 2017-09-13
5.8
None Remote Medium Not required Partial None Partial
The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.
548 CVE-2015-7995 DoS 2015-11-17 2017-12-08
5.0
None Remote Low Not required None None Partial
The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not check if the parent node is an element, which allows attackers to cause a denial of service via a crafted XML file, related to a "type confusion" issue.
549 CVE-2015-7987 119 Overflow 2016-06-25 2016-11-29
6.8
None Remote Medium Not required Partial Partial Partial
Multiple buffer overflows in mDNSResponder before 625.41.2 allow remote attackers to read or write to out-of-bounds memory locations via vectors involving the (1) GetValueForIPv4Addr, (2) GetValueForMACAddr, (3) rfc3110_import, or (4) CopyNSEC3ResourceRecord function.
550 CVE-2015-7942 119 DoS Overflow 2015-11-18 2017-09-13
6.8
None Remote Medium Not required Partial Partial Partial
The xmlParseConditionalSections function in parser.c in libxml2 does not properly skip intermediary entities when it stops parsing invalid input, which allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) via crafted XML data, a different vulnerability than CVE-2015-7941.
Total number of vulnerabilities : 1077   Page : 1 2 3 4 5 6 7 8 9 10 11 (This Page)12 13 14 15 16 17 18 19 20 21 22
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.