VYPR

Safari

by Apple Inc.

CVEs (1,615)

  • CVE-2016-4585MedJul 22, 2016
    risk 0.40cvss 6.1epss 0.02

    Cross-site scripting (XSS) vulnerability in the WebKit Page Loading implementation in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to inject arbitrary web script or HTML via an HTTP response specifying redirection that is mishandled…

  • CVE-2017-7064MedJul 20, 2017
    risk 0.39cvss 5.5epss 0.04

    An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. iCloud before 6.2.2 on Windows is affected. iTunes before 12.6.2 on Windows is affected. The issue involves the "WebKit" component. It allows attackers to bypass…

  • CVE-2026-20608MedFeb 11, 2026
    risk 0.36cvss 5.5epss 0.00

    This issue was addressed through improved state management. This issue is fixed in Safari 26.3, iOS 18.7.5 and iPadOS 18.7.5, iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, visionOS 26.3. Processing maliciously crafted web content may lead to an unexpected process crash.

  • CVE-2025-46282MedDec 17, 2025
    risk 0.36cvss 5.5epss 0.00

    The issue was addressed with additional permissions checks. This issue is fixed in Safari 26.2, macOS Tahoe 26.2. An app may be able to access sensitive user data.

  • CVE-2024-44192MedMar 10, 2025
    risk 0.36cvss 5.5epss 0.00

    The issue was addressed with improved checks. This issue is fixed in Safari 18, iOS 18 and iPadOS 18, macOS Sequoia 15, tvOS 18, visionOS 2, watchOS 11. Processing maliciously crafted web content may lead to an unexpected process crash.

  • CVE-2024-44185MedOct 24, 2024
    risk 0.36cvss 5.5epss 0.00

    The issue was addressed with improved checks. This issue is fixed in Safari 17.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6, tvOS 17.6, visionOS 1.3, watchOS 10.6. Processing maliciously crafted web content may lead to an unexpected process crash.

  • CVE-2024-40780MedJul 29, 2024
    risk 0.36cvss 5.5epss 0.01

    An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Safari 17.6, iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6, tvOS 17.6, visionOS 1.3, watchOS 10.6. Processing maliciously crafted web content may lead to an…

  • CVE-2024-40779MedJul 29, 2024
    risk 0.36cvss 5.5epss 0.00

    An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Safari 17.6, iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6, tvOS 17.6, visionOS 1.3, watchOS 10.6. Processing maliciously crafted web content may lead to an…

  • CVE-2024-27844MedJun 10, 2024
    risk 0.36cvss 5.5epss 0.01

    The issue was addressed with improved checks. This issue is fixed in Safari 17.5, macOS Sonoma 14.5, visionOS 1.2. A website's permission dialog may persist after navigation away from the site.

  • CVE-2024-27834MedMay 14, 2024
    risk 0.36cvss 5.5epss 0.01

    The issue was addressed with improved checks. This issue is fixed in Safari 17.5, iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, tvOS 17.5, watchOS 10.5. An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication.

  • CVE-2017-2385MedApr 2, 2017
    risk 0.36cvss 5.5epss 0.00

    An issue was discovered in certain Apple products. Safari before 10.1 is affected. The issue involves the "Safari Login AutoFill" component. It allows local users to obtain access to locked keychain items via unspecified vectors.

  • CVE-2016-7153MedSep 6, 2016
    risk 0.36cvss 5.3epss 0.14

    The HTTP/2 protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a…

  • CVE-2016-7152MedSep 6, 2016
    risk 0.36cvss 5.3epss 0.14

    The HTTPS protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a…

  • CVE-2024-44296MedOct 28, 2024
    risk 0.35cvss 5.4epss 0.01

    The issue was addressed with improved checks. This issue is fixed in Safari 18.1, iOS 17.7.1 and iPadOS 17.7.1, iOS 18.1 and iPadOS 18.1, macOS Sequoia 15.1, tvOS 18.1, visionOS 2.1, watchOS 11.1. Processing maliciously crafted web content may prevent Content Security Policy…

  • CVE-2017-7142MedOct 23, 2017
    risk 0.35cvss 5.3epss 0.02

    An issue was discovered in certain Apple products. Safari before 11 is affected. The issue involves the "WebKit Storage" component. It allows attackers to bypass the Safari Private Browsing protection mechanism, and consequently obtain sensitive information about visited web…

  • CVE-2017-7006MedJul 20, 2017
    risk 0.35cvss 5.3epss 0.01

    An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct a timing side-channel attack to bypass the Same…

  • CVE-2016-4604MedJul 22, 2016
    risk 0.35cvss 5.4epss 0.01

    Safari in Apple iOS before 9.3.3 allows remote attackers to spoof the displayed URL via an HTTP response specifying redirection to an invalid TCP port number.

  • CVE-2016-4590MedJul 22, 2016
    risk 0.35cvss 5.4epss 0.01

    WebKit in Apple iOS before 9.3.3 and Safari before 9.1.2 mishandles about: URLs, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.

  • CVE-2016-1786MedMar 24, 2016
    risk 0.35cvss 5.4epss 0.01

    The Page Loading implementation in WebKit in Apple iOS before 9.3 and Safari before 9.1 mishandles HTTP responses with a 3xx (aka redirection) status code, which allows remote attackers to spoof the displayed URL, bypass the Same Origin Policy, and obtain sensitive cached…

  • CVE-2015-4000LowMay 21, 2015
    risk 0.35cvss 3.7epss 1.00

    The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by…

Page 20 of 81