| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2015-3185 |
264 |
|
Bypass |
2015-07-20 |
2018-01-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior. |
|
2 |
CVE-2015-3165 |
|
|
DoS |
2015-05-28 |
2018-01-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service (crash) by closing an SSL session at a time when the authentication timeout will expire during the session shutdown sequence. |
|
3 |
CVE-2014-1296 |
264 |
|
Bypass |
2014-04-23 |
2014-04-23 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
CFNetwork in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 does not ensure that a Set-Cookie HTTP header is complete before interpreting the header's value, which allows remote attackers to bypass intended access restrictions by triggering the closing of a TCP connection during transmission of a header, as demonstrated by an HTTPOnly restriction. |
|
4 |
CVE-2014-1265 |
264 |
|
Bypass |
2014-02-26 |
2014-02-27 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The systemsetup program in the Date and Time subsystem in Apple OS X before 10.9.2 allows local users to bypass intended access restrictions by changing the current time on the system clock. |
|
5 |
CVE-2014-0067 |
264 |
|
+Priv |
2014-03-31 |
2017-12-15 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The "make check" command for the test suites in PostgreSQL 9.3.3 and earlier does not properly invoke initdb to specify the authentication requirements for a database cluster to be used for the tests, which allows local users to gain privileges by leveraging access to this cluster. |
|
6 |
CVE-2013-0990 |
264 |
|
|
2013-06-05 |
2013-06-05 |
4.9 |
None |
Remote |
Medium |
Single system |
None |
Partial |
Partial |
|
SMB in Apple Mac OS X before 10.8.4, when file sharing is enabled, allows remote authenticated users to create or modify files outside of a shared directory via unspecified vectors. |
|
7 |
CVE-2013-0967 |
|
|
Bypass |
2013-03-15 |
2013-03-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
CoreTypes in Apple Mac OS X before 10.8.3 includes JNLP files in the list of safe file types, which allows remote attackers to bypass a Java plug-in disabled setting, and trigger the launch of Java Web Start applications, via a crafted web site. |
|
8 |
CVE-2012-3723 |
119 |
|
DoS Exec Code Overflow Mem. Corr. |
2012-09-20 |
2017-08-28 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Apple Mac OS X before 10.7.5 does not properly handle the bNbrPorts field of a USB hub descriptor, which allows physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption and system crash) by attaching a USB device. |
|
9 |
CVE-2012-0675 |
287 |
|
|
2012-05-10 |
2012-05-29 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Time Machine in Apple Mac OS X before 10.7.4 does not require continued use of SRP-based authentication after this authentication method is first used, which allows remote attackers to read Time Capsule credentials by spoofing the backup volume. |
|
10 |
CVE-2011-3452 |
200 |
|
+Info |
2012-02-02 |
2012-02-03 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Internet Sharing in Apple Mac OS X before 10.7.3 does not preserve the Wi-Fi configuration across software updates, which allows remote attackers to obtain sensitive information by leveraging the lack of a WEP password for a Wi-Fi network. |
|
11 |
CVE-2011-3447 |
200 |
|
+Info |
2012-02-02 |
2012-02-03 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
CFNetwork in Apple Mac OS X 10.7.x before 10.7.3 does not properly construct request headers during parsing of URLs, which allows remote attackers to obtain sensitive information via a malformed URL. |
|
12 |
CVE-2011-3444 |
310 |
|
|
2012-02-02 |
2012-02-06 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Address Book in Apple Mac OS X before 10.7.3 automatically switches to unencrypted sessions upon failure of encrypted connections, which allows remote attackers to read CardDAV data by terminating an encrypted connection and then sniffing the network. |
|
13 |
CVE-2011-3422 |
20 |
|
|
2011-09-12 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Keychain implementation in Apple Mac OS X 10.6.8 and earlier does not properly handle an untrusted attribute of a Certification Authority certificate, which makes it easier for man-in-the-middle attackers to spoof arbitrary SSL servers via an Extended Validation certificate, as demonstrated by https access with Safari. |
|
14 |
CVE-2011-3220 |
200 |
|
+Info |
2011-10-14 |
2012-01-13 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
QuickTime in Apple Mac OS X before 10.7.2 does not properly process URL data handlers in movie files, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted file. |
|
15 |
CVE-2011-3214 |
264 |
|
Bypass |
2011-10-14 |
2012-01-13 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
IOGraphics in Apple Mac OS X through 10.6.8 does not properly handle a locked-screen state in display sleep mode for an Apple Cinema Display, which allows physically proximate attackers to bypass the password requirement via unspecified vectors. |
|
16 |
CVE-2011-1132 |
|
|
DoS |
2011-06-24 |
2011-10-26 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The IPv6 implementation in the kernel in Apple Mac OS X before 10.6.8 allows local users to cause a denial of service (NULL pointer dereference and reboot) via vectors involving socket options. |
|
17 |
CVE-2011-0260 |
264 |
|
Bypass |
2011-10-14 |
2012-01-13 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The CoreProcesses component in Apple Mac OS X 10.7 before 10.7.2 does not prevent a system window from receiving keystrokes in the locked-screen state, which might allow physically proximate attackers to bypass intended access restrictions by typing into this window. |
|
18 |
CVE-2011-0190 |
20 |
|
|
2011-03-22 |
2011-03-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Install Helper in Installer in Apple Mac OS X before 10.6.7 does not properly process an unspecified URL, which might allow remote attackers to track user logins by logging network traffic from an agent that was intended to send network traffic to an Apple server. |
|
19 |
CVE-2011-0187 |
200 |
|
Bypass +Info |
2011-03-22 |
2011-10-20 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The plug-in in QuickTime in Apple Mac OS X before 10.6.7 allows remote attackers to bypass the Same Origin Policy and obtain potentially sensitive video data via vectors involving a cross-site redirect. |
|
20 |
CVE-2011-0185 |
134 |
|
+Priv |
2011-10-14 |
2012-01-13 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Format string vulnerability in the debug-logging feature in Application Firewall in Apple Mac OS X before 10.7.2 allows local users to gain privileges via a crafted name of an executable file. |
|
21 |
CVE-2011-0172 |
189 |
|
DoS |
2011-03-22 |
2011-03-24 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
AirPort in Apple Mac OS X 10.6 before 10.6.7 allows remote attackers to cause a denial of service (divide-by-zero error and reboot) via Wi-Fi frames on the local wireless network, a different vulnerability than CVE-2011-0162. |
|
22 |
CVE-2010-4011 |
200 |
|
+Info |
2010-11-16 |
2010-11-17 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Dovecot in Apple Mac OS X 10.6.5 10H574 does not properly manage memory for user names, which allows remote authenticated users to read the private e-mail of other persons in opportunistic circumstances via standard e-mail clients accessing a user's own mailbox, related to a "memory aliasing issue." |
|
23 |
CVE-2010-3796 |
200 |
|
+Info |
2010-11-16 |
2010-11-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Safari RSS in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 does not block Java applets in an RSS feed, which allows remote attackers to obtain sensitive information via a feed: URL containing an applet that performs DOM modifications. |
|
24 |
CVE-2010-1847 |
399 |
|
DoS |
2010-11-16 |
2010-12-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The kernel in Apple Mac OS X 10.6.x before 10.6.5 does not properly perform memory management associated with terminal devices, which allows local users to cause a denial of service (system crash) via unspecified vectors. |
|
25 |
CVE-2010-1838 |
287 |
|
Bypass |
2010-11-15 |
2011-01-12 |
4.4 |
User |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Directory Services in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 does not properly handle errors associated with disabled mobile accounts, which allows remote attackers to bypass authentication by providing a valid account name. |
|
26 |
CVE-2010-1803 |
|
|
+Info |
2010-11-15 |
2010-12-10 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Time Machine in Apple Mac OS X 10.6.x before 10.6.5 does not verify the unique identifier of its remote AFP volume, which allows remote attackers to obtain sensitive information by spoofing this volume. |
|
27 |
CVE-2010-1374 |
22 |
|
Dir. Trav. |
2010-06-17 |
2010-06-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Directory traversal vulnerability in iChat in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, when AIM is used, allows remote attackers to create arbitrary files via directory traversal sequences in an inline image-transfer operation. |
|
28 |
CVE-2010-1373 |
79 |
|
XSS |
2010-06-17 |
2010-06-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Help Viewer in Apple Mac OS X 10.6 before 10.6.4 allows remote attackers to inject arbitrary web script or HTML via a crafted help: URL, related to "URL parameters in HTML content." |
|
29 |
CVE-2010-0545 |
264 |
|
Bypass |
2010-06-17 |
2010-06-17 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Finder in DesktopServices in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, does not set the expected file ownerships during an "Apply to enclosed items" action, which allows local users to bypass intended access restrictions via normal filesystem operations. |
|
30 |
CVE-2010-0541 |
79 |
|
XSS |
2010-06-17 |
2012-11-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the WEBrick HTTP server in Ruby in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows remote attackers to inject arbitrary web script or HTML via a crafted URI that triggers a UTF-7 error page. |
|
31 |
CVE-2010-0534 |
264 |
|
|
2010-03-30 |
2010-06-21 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
Wiki Server in Apple Mac OS X 10.6 before 10.6.3 does not enforce the service access control list (SACL) for weblogs during weblog creation, which allows remote authenticated users to publish content via HTTP requests. |
|
32 |
CVE-2010-0526 |
119 |
|
DoS Exec Code Overflow |
2010-03-30 |
2018-10-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Heap-based buffer overflow in QuickTimeMPEG.qtx in QuickTime in Apple Mac OS X before 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted genl atom in a QuickTime movie file with MPEG encoding, which is not properly handled during decompression. |
|
33 |
CVE-2010-0502 |
|
|
|
2010-03-30 |
2010-03-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
iChat Server in Apple Mac OS X Server before 10.6.3, when group chat is used, does not perform logging for all types of messages, which might allow remote attackers to avoid message auditing via an unspecified selection of message type. |
|
34 |
CVE-2009-2840 |
|
|
|
2009-11-10 |
2009-11-17 |
4.9 |
None |
Local |
Low |
Not required |
None |
Complete |
None |
|
Spotlight in Apple Mac OS X 10.5.8 does not properly handle temporary files, which allows local users to overwrite arbitrary files in the context of a different user's privileges via unspecified vectors. |
|
35 |
CVE-2009-2835 |
20 |
|
DoS +Priv +Info |
2009-11-10 |
2009-11-17 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The kernel in Apple Mac OS X before 10.6.2 does not properly handle task state segments, which allows local users to gain privileges, cause a denial of service (system crash), or obtain sensitive information via unspecified vectors. |
|
36 |
CVE-2009-2834 |
264 |
|
|
2009-11-10 |
2009-11-17 |
4.9 |
None |
Local |
Low |
Not required |
None |
Complete |
None |
|
IOKit in Apple Mac OS X before 10.6.2 allows local users to modify the firmware of a (1) USB or (2) Bluetooth keyboard via unspecified vectors. |
|
37 |
CVE-2009-2825 |
310 |
|
|
2009-11-10 |
2009-11-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Certificate Assistant in Apple Mac OS X before 10.6.2 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. |
|
38 |
CVE-2009-2823 |
79 |
|
XSS |
2009-11-10 |
2009-11-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Apache HTTP Server in Apple Mac OS X before 10.6.2 enables the HTTP TRACE method, which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified web client software. |
|
39 |
CVE-2009-2820 |
79 |
|
XSS Http R.Spl. |
2009-11-10 |
2017-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product's web interface, (b) the configuration of the print system, and (c) the titles of printed jobs, as demonstrated by an XSS attack that uses the kerberos parameter to the admin program, and leverages attribute injection and HTTP Parameter Pollution (HPP) issues. |
|
40 |
CVE-2009-2814 |
79 |
|
XSS |
2009-09-14 |
2017-08-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Wiki Server in Apple Mac OS X 10.5.8 allows remote attackers to inject arbitrary web script or HTML via a search request containing data that does not use UTF-8 encoding. |
|
41 |
CVE-2009-2194 |
|
|
DoS |
2009-08-06 |
2017-08-16 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Apple Mac OS X 10.5 before 10.5.8 does not properly share file descriptors over local sockets, which allows local users to cause a denial of service (system crash) by placing file descriptors in messages sent to a socket that has no receiver, related to a "synchronization issue." |
|
42 |
CVE-2009-1723 |
|
|
|
2009-08-06 |
2017-08-16 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
CFNetwork in Apple Mac OS X 10.5 before 10.5.8 places an incorrect URL in a certificate warning in certain 302 redirection scenarios, which makes it easier for remote attackers to trick a user into visiting an arbitrary https web site by leveraging an open redirect vulnerability, a different issue than CVE-2009-2062. |
|
43 |
CVE-2009-1237 |
399 |
|
DoS |
2009-04-02 |
2017-09-28 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Multiple memory leaks in XNU 1228.3.13 and earlier on Apple Mac OS X 10.5.6 and earlier allow local users to cause a denial of service (kernel memory consumption) via a crafted (1) SYS_add_profil or (2) SYS___mac_getfsstat system call. |
|
44 |
CVE-2009-0156 |
20 |
|
DoS |
2009-05-13 |
2017-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Launch Services in Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 allows remote attackers to cause a denial of service (persistent Finder crash) via a crafted Mach-O executable that triggers an out-of-bounds memory read. |
|
45 |
CVE-2009-0153 |
79 |
|
XSS |
2009-05-13 |
2017-09-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
International Components for Unicode (ICU) 4.0, 3.6, and other 3.x versions, as used in Apple Mac OS X 10.5 before 10.5.7, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Fedora 9 and 10, and possibly other operating systems, does not properly handle invalid byte sequences during Unicode conversion, which might allow remote attackers to conduct cross-site scripting (XSS) attacks. |
|
46 |
CVE-2009-0150 |
119 |
|
DoS Overflow +Priv |
2009-05-13 |
2017-08-07 |
4.4 |
User |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Stack-based buffer overflow in Apple Mac OS X 10.5 before 10.5.7 allows local users to gain privileges or cause a denial of service (application crash) by attempting to mount a crafted sparse disk image. |
|
47 |
CVE-2009-0149 |
94 |
|
DoS +Priv Mem. Corr. |
2009-05-13 |
2017-08-07 |
4.4 |
User |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Apple Mac OS X 10.4.11 and 10.5 before 10.5.7 allows local users to gain privileges or cause a denial of service (application crash) by attempting to mount a crafted sparse disk image that triggers memory corruption. |
|
48 |
CVE-2009-0144 |
16 |
|
+Info |
2009-05-13 |
2017-08-07 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
CFNetwork in Apple Mac OS X 10.5 before 10.5.7 does not properly parse noncompliant Set-Cookie headers, which allows remote attackers to obtain sensitive information by sniffing the network for "secure cookies" that are sent over unencrypted HTTP connections. |
|
49 |
CVE-2009-0015 |
255 |
|
+Info |
2009-02-12 |
2009-08-19 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
Unspecified vulnerability in fseventsd in the FSEvents framework in Apple Mac OS X 10.5.6 allows local users to obtain sensitive information (filesystem activities and directory names) via unknown vectors related to "credential management." |
|
50 |
CVE-2008-4219 |
399 |
|
DoS |
2008-12-16 |
2009-08-20 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The kernel in Apple Mac OS X before 10.5.6 allows local users to cause a denial of service (infinite loop and system halt) by running an application that is dynamically linked to libraries on an NFS server, related to occurrence of an exception in this application. |
