VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 27, 2014· Updated Apr 29, 2026

CVE-2014-1257

CVE-2014-1257

Description

CFNetwork in Apple OS X through 10.8.5 does not remove session cookies upon a Safari reset action, which allows physically proximate attackers to bypass intended access restrictions by leveraging an unattended workstation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CFNetwork in OS X through 10.8.5 fails to clear session cookies on Safari reset, enabling local attackers to access authenticated sessions.

Vulnerability

CFNetwork in Apple OS X through 10.8.5 does not remove session cookies when a user performs a Safari reset action. This allows previously stored session cookies to persist after the reset, leaving them accessible to subsequent users of the same workstation. The issue is addressed in OS X Mavericks v10.9.2 and Security Update 2014-001 [1].

Exploitation

An attacker with physical access to an unattended workstation can exploit this vulnerability by simply using the browser after the legitimate user has performed a Safari reset. No authentication or special privileges are required; the attacker only needs to navigate to websites that the previous user had logged into, as the session cookies remain valid.

Impact

Successful exploitation allows the attacker to bypass intended access restrictions and impersonate the previous user on web services that rely on session cookies. This can lead to unauthorized access to sensitive information, such as email, social media, or corporate applications, depending on the user's active sessions.

Mitigation

Apple addressed this issue in OS X Mavericks v10.9.2 and Security Update 2014-001, released on February 25, 2014 [1]. Users should update their systems via Software Update or the Apple Support website. No workaround is documented for unpatched systems.

References
  1. About the security content of OS X Mavericks v10.9.2 and Security Update 2014-001 - Apple Support

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

8
  • Apple Inc./Mac Os X7 versions
    cpe:2.3:o:apple:mac_os_x:10.8.0:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:o:apple:mac_os_x:10.8.0:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.8.1:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.8.2:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.8.3:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.8.4:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:10.8.5:*:*:*:*:*:*:*
    • cpe:2.3:o:apple:mac_os_x:*:supplemental_update:*:*:*:*:*:*range: <=10.8.5
  • Apple Inc./OS Xllm-fuzzy
    Range: <=10.8.5

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.