| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2016-1787 |
200 |
|
+Info |
2016-03-24 |
2016-12-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Wiki Server in Apple OS X Server before 5.1 allows remote attackers to obtain sensitive information from Wiki pages via unspecified vectors. |
|
2 |
CVE-2016-1777 |
310 |
|
|
2016-03-24 |
2016-12-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Web Server in Apple OS X Server before 5.1 supports the RC4 algorithm, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors. |
|
3 |
CVE-2016-1776 |
284 |
|
+Info |
2016-03-24 |
2016-12-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Web Server in Apple OS X Server before 5.1 does not properly restrict access to .DS_Store and .htaccess files, which allows remote attackers to obtain sensitive configuration information via an HTTP request. |
|
4 |
CVE-2016-1774 |
284 |
|
+Info |
2016-03-24 |
2016-12-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Time Machine server in Server App in Apple OS X Server before 5.1 does not notify the user about ignored permissions during a backup, which makes it easier for remote attackers to obtain sensitive information in opportunistic circumstances by reading backup data that lacks intended restrictions. |
|
5 |
CVE-2015-7031 |
264 |
|
Bypass |
2015-10-23 |
2016-12-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The Web Service component in Apple OS X Server before 5.0.15 omits an unspecified HTTP header configuration, which allows remote attackers to bypass intended access restrictions via unknown vectors. |
|
6 |
CVE-2015-0253 |
|
|
DoS |
2015-07-20 |
2021-06-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) by sending a request that lacks a method to an installation that enables the INCLUDES filter and has an ErrorDocument 400 directive specifying a local URI. |
|
7 |
CVE-2015-0228 |
20 |
|
DoS |
2015-03-08 |
2021-06-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The lua_websocket_read function in lua_request.c in the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service (child-process crash) by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade function. |
|
8 |
CVE-2013-5704 |
|
|
Bypass |
2014-04-15 |
2022-04-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such." |
|
9 |
CVE-2012-0651 |
200 |
|
+Info |
2012-05-11 |
2017-12-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The directory server in Directory Service in Apple Mac OS X 10.6.8 allows remote attackers to obtain sensitive information from process memory via a crafted message. |
|
10 |
CVE-2011-3462 |
|
|
+Info |
2012-02-02 |
2012-02-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Time Machine in Apple Mac OS X before 10.7.3 does not verify the unique identifier of its remote AFP volume or Time Capsule, which allows remote attackers to obtain sensitive information contained in new backups by spoofing this storage object, a different vulnerability than CVE-2010-1803. |
|
11 |
CVE-2011-3246 |
200 |
|
+Info |
2011-10-14 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
CFNetwork in Apple iOS before 5.0.1 and Mac OS X 10.7 before 10.7.2 does not properly parse URLs, which allows remote attackers to trigger visits to unintended web sites, and transmission of cookies to unintended web sites, via a crafted (1) http or (2) https URL. |
|
12 |
CVE-2011-3225 |
264 |
|
Bypass |
2011-10-14 |
2012-01-14 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The SMB File Server component in Apple Mac OS X 10.7 before 10.7.2 does not prevent all guest users from accessing the share point record of a guest-restricted folder, which allows remote attackers to bypass intended browsing restrictions by leveraging access to the nobody account. |
|
13 |
CVE-2011-0231 |
200 |
|
+Info |
2011-10-14 |
2012-01-14 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
CFNetwork in Apple Mac OS X before 10.7.2 does not properly follow an intended cookie-storage policy, which makes it easier for remote web servers to track users via a cookie, related to a "synchronization issue." |
|
14 |
CVE-2011-0207 |
310 |
|
+Info |
2011-06-24 |
2011-10-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The MobileMe component in Apple Mac OS X before 10.6.8 uses a cleartext HTTP session for the Mail application to read e-mail aliases, which allows remote attackers to obtain potentially sensitive alias information by sniffing the network. |
|
15 |
CVE-2011-0203 |
22 |
|
Dir. Trav. |
2011-06-24 |
2011-10-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Absolute path traversal vulnerability in xftpd in the FTP Server component in Apple Mac OS X before 10.6.8 allows remote attackers to list arbitrary directories by using the root directory as the starting point of a recursive listing. |
|
16 |
CVE-2011-0199 |
20 |
|
|
2011-06-24 |
2011-10-27 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Certificate Trust Policy component in Apple Mac OS X before 10.6.8 does not perform CRL checking for Extended Validation (EV) certificates that lack OCSP URLs, which might allow man-in-the-middle attackers to spoof an SSL server via a revoked certificate. |
|
17 |
CVE-2011-0189 |
16 |
|
|
2011-03-23 |
2011-03-23 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The default configuration of Terminal in Apple Mac OS X 10.6 before 10.6.7 uses SSH protocol version 1 within the New Remote Connection dialog, which might make it easier for man-in-the-middle attackers to spoof SSH servers by leveraging protocol vulnerabilities. |
|
18 |
CVE-2011-0183 |
189 |
|
DoS |
2011-03-23 |
2011-03-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Libinfo in Apple Mac OS X before 10.6.7 does not properly handle an unspecified integer field in an NFS RPC packet, which allows remote attackers to cause a denial of service (lockd, statd, mountd, or portmap outage) via a crafted packet, related to an "integer truncation issue." |
|
19 |
CVE-2010-3784 |
|
|
DoS |
2010-11-16 |
2010-12-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The PMPageFormatCreateWithDataRepresentation API in Printing in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 does not properly handle XML data, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) via unspecified API calls. |
|
20 |
CVE-2010-1834 |
20 |
|
|
2010-11-15 |
2010-12-10 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
CFNetwork in Apple Mac OS X 10.6.x before 10.6.5 does not properly validate the domains of cookies, which makes it easier for remote web servers to track users by setting a cookie that is associated with a partial IP address. |
|
21 |
CVE-2010-1830 |
|
|
|
2010-11-15 |
2010-12-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
AFP Server in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 generates different error messages depending on whether a share exists, which allows remote attackers to enumerate valid share names via unspecified vectors. |
|
22 |
CVE-2010-1828 |
20 |
|
DoS |
2010-11-15 |
2010-12-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
AFP Server in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon restart) via crafted reconnect authentication packets. |
|
23 |
CVE-2010-1379 |
20 |
|
DoS |
2010-06-17 |
2010-06-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Printer Setup in Apple Mac OS X 10.6 before 10.6.4 does not properly interpret character encoding, which allows remote attackers to cause a denial of service (printing failure) by deploying a printing device that has a Unicode character in its printing-service name. |
|
24 |
CVE-2010-0525 |
310 |
|
+Info |
2010-03-30 |
2010-06-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Mail in Apple Mac OS X before 10.6.3 does not properly enforce the key usage extension during processing of a keychain that specifies multiple certificates for an e-mail recipient, which might make it easier for remote attackers to obtain sensitive information via a brute-force attack on a weakly encrypted e-mail message. |
|
25 |
CVE-2010-0523 |
200 |
|
+Info |
2010-03-30 |
2010-06-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Wiki Server in Apple Mac OS X 10.5.8 does not restrict the file types of uploaded files, which allows remote attackers to obtain sensitive information or possibly have unspecified other impact via a crafted file, as demonstrated by a Java applet. |
|
26 |
CVE-2010-0521 |
287 |
|
+Info |
2010-03-30 |
2010-06-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Server Admin in Apple Mac OS X Server before 10.6.3 does not properly enforce authentication for directory binding, which allows remote attackers to obtain potentially sensitive information from Open Directory via unspecified LDAP requests. |
|
27 |
CVE-2010-0511 |
264 |
|
|
2010-03-30 |
2010-03-31 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Podcast Producer in Apple Mac OS X 10.6 before 10.6.3 deletes the access restrictions of a Podcast Composer workflow when this workflow is overwritten, which allows attackers to access a workflow via unspecified vectors. |
|
28 |
CVE-2009-2843 |
310 |
|
Exec Code |
2009-12-08 |
2011-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Java for Mac OS X 10.5 before Update 6 and 10.6 before Update 1 accepts expired certificates for applets, which makes it easier for remote attackers to execute arbitrary code via an applet. |
|
29 |
CVE-2009-2832 |
119 |
|
DoS Exec Code Overflow |
2009-11-10 |
2009-11-17 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in FTP Server in Apple Mac OS X before 10.6.2 allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a CWD command specifying a pathname in a deeply nested hierarchy of directories, related to a "CWD command line tool." |
|
30 |
CVE-2009-2831 |
|
|
Exec Code |
2009-11-10 |
2009-11-17 |
5.8 |
None |
Local Network |
Low |
Not required |
Partial |
Partial |
Partial |
|
Dictionary in Apple Mac OS X 10.5.8 allows remote attackers to create arbitrary files with any contents, and thereby execute arbitrary code, via crafted JavaScript, related to a "design issue." |
|
31 |
CVE-2009-2829 |
255 |
|
DoS |
2009-11-10 |
2009-11-17 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Event Monitor in Apple Mac OS X 10.5.8 does not properly handle crafted authentication data sent to an SSH daemon, which allows remote attackers to cause a denial of service via vectors involving processing of XML log documents by other services, related to a "log injection" issue. |
|
32 |
CVE-2009-2818 |
264 |
|
|
2009-11-10 |
2009-11-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Adaptive Firewall in Apple Mac OS X before 10.6.2 does not properly handle invalid usernames in SSH login attempts, which makes it easier for remote attackers to obtain login access via a brute-force attack (aka dictionary attack). |
|
33 |
CVE-2009-2808 |
310 |
|
Exec Code |
2009-11-10 |
2009-11-17 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Help Viewer in Apple Mac OS X before 10.6.2 does not use an HTTPS connection to retrieve Apple Help content from a web site, which allows man-in-the-middle attackers to send a crafted help:runscript link, and thereby execute arbitrary code, via a spoofed response. |
|
34 |
CVE-2009-0152 |
16 |
|
+Info |
2009-05-13 |
2017-08-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
iChat in Apple Mac OS X 10.5 before 10.5.7 disables SSL for AOL Instant Messenger (AIM) communication in certain circumstances that are inconsistent with the Require SSL setting, which allows remote attackers to obtain sensitive information by sniffing the network. |
|
35 |
CVE-2008-3617 |
255 |
|
|
2008-09-16 |
2017-08-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Remote Management and Screen Sharing in Apple Mac OS X 10.5 through 10.5.4, when used to set a password for a VNC viewer, displays additional input characters beyond the maximum password length, which might make it easier for attackers to guess passwords that the user believed were longer. |
|
36 |
CVE-2008-2331 |
264 |
|
|
2008-09-16 |
2017-08-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Finder in Apple Mac OS X 10.5 through 10.5.4 does not properly update permission data in the Get Info window after a lock operation that modifies Sharing & Permissions in a filesystem, which might allow local users to leverage weak permissions that were not intended by an administrator. |
|
37 |
CVE-2008-1579 |
200 |
|
+Info |
2008-06-02 |
2017-08-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Wiki Server in Apple Mac OS X 10.5 before 10.5.3 allows remote attackers to obtain sensitive information (user names) by reading the error message produced upon access to a nonexistent blog. |
|
38 |
CVE-2008-1571 |
22 |
|
Dir. Trav. |
2008-06-02 |
2017-08-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in the embedded web server in Image Capture in Apple Mac OS X before 10.5 allows remote attackers to read arbitrary files via directory traversal sequences in the URI. |
|
39 |
CVE-2008-0992 |
119 |
|
Exec Code Overflow |
2008-03-18 |
2017-08-08 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Array index error in pax in Apple Mac OS X 10.5.2 allows context-dependent attackers to execute arbitrary code via an archive with a crafted length value. |
|
40 |
CVE-2008-0059 |
362 |
|
Exec Code |
2008-03-18 |
2017-08-08 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Race condition in NSXML in Foundation for Apple Mac OS X 10.4.11 allows context-dependent attackers to execute arbitrary code via a crafted XML file, related to "error handling logic." |
|
41 |
CVE-2008-0058 |
362 |
|
Exec Code |
2008-03-18 |
2017-08-08 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Race condition in the NSURLConnection cache management functionality in Foundation for Apple Mac OS X 10.4.11 allows remote attackers to execute arbitrary code via unspecified manipulations that cause messages to be sent to a deallocated object. |
|
42 |
CVE-2008-0050 |
200 |
|
+Info |
2008-03-18 |
2017-08-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
CFNetwork in Apple Mac OS X 10.4.11 allows remote HTTPS proxy servers to spoof secure websites via data in a 502 Bad Gateway error. |
|
43 |
CVE-2008-0046 |
264 |
|
Bypass |
2008-03-18 |
2017-08-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Application Firewall in Apple Mac OS X 10.5.2 has an incorrect German translation for the "Set access for specific services and applications" radio button that might cause the user to believe that the button is used to restrict access only to specific services and applications, which might allow attackers to bypass intended access restrictions. |
|
44 |
CVE-2008-0044 |
119 |
|
DoS Exec Code Overflow |
2008-03-18 |
2017-08-08 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Multiple buffer overflows in AFP Client in Apple Mac OS X 10.4.11 and 10.5.2 allow remote attackers to cause a denial of service (application termination) and execute arbitrary code via a crafted afp:// URL. |
|
45 |
CVE-2007-4688 |
200 |
|
+Info |
2007-11-15 |
2017-07-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Networking component in Apple Mac OS X 10.4 through 10.4.10 allows remote attackers to obtain all addresses for a host, including link-local addresses, via a Node Information Query. |
|
46 |
CVE-2007-3744 |
119 |
|
Exec Code Overflow |
2007-08-03 |
2017-07-29 |
5.8 |
None |
Local Network |
Low |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in the UPnP IGD (Internet Gateway Device Standardized Device Control Protocol) implementation in mDNSResponder on Apple Mac OS X 10.4.10 before 20070731 allows network-adjacent remote attackers to execute arbitrary code via a crafted packet. |
|
47 |
CVE-2007-2404 |
|
|
XSS Http R.Spl. |
2007-08-03 |
2017-07-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
CRLF injection vulnerability in CFNetwork on Apple Mac OS X 10.3.9 and 10.4.10 before 20070731 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in an unspecified context. NOTE: this can be leveraged for cross-site scripting (XSS) attacks. |
|
48 |
CVE-2007-1863 |
|
|
DoS |
2007-06-27 |
2023-02-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
cache_util.c in the mod_cache module in Apache HTTP Server (httpd), when caching is enabled and a threaded Multi-Processing Module (MPM) is used, allows remote attackers to cause a denial of service (child processing handler crash) via a request with the (1) s-maxage, (2) max-age, (3) min-fresh, or (4) max-stale Cache-Control headers without a value. |
|
49 |
CVE-2007-0726 |
|
|
DoS |
2007-03-13 |
2017-07-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The SSH key generation process in OpenSSH in Apple Mac OS X 10.3.9 and 10.4 through 10.4.8 allows remote attackers to cause a denial of service by connecting to the server before SSH has finished creating keys, which causes the keys to be regenerated and can break trust relationships that were based on the original keys. |
|
50 |
CVE-2006-6353 |
|
|
DoS |
2006-12-07 |
2008-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Multiple unspecified vulnerabilities in BOMArchiveHelper in Mac OS X allow user-assisted remote attackers to cause a denial of service (application crash) via unspecified vectors related to (1) certain KERN_PROTECTION_FAILURE thread crashes and (2) certain KERN_INVALID_ADDRESS thread crashes, as discovered with the "iSec Partners FileP fuzzer". |
