Safari
by Apple Inc.
CVEs (1,615)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2009-2196 | 0.00 | — | 0.05 | Aug 12, 2009 | Unspecified vulnerability in Apple Safari 4 before 4.0.3 allows remote web servers to place an arbitrary web site in the Top Sites view, and possibly conduct phishing attacks, via unknown vectors. | |||
| CVE-2009-2198 | 0.00 | — | 0.02 | Aug 4, 2009 | Apple GarageBand before 5.1 reconfigures Safari to accept all cookies regardless of domain name, which makes it easier for remote web servers to track users. | |||
| CVE-2009-1725 | 0.00 | — | 0.06 | Jul 9, 2009 | WebKit in Apple Safari before 4.0.2, as used on iPhone OS before 3.1, iPhone OS before 3.1.1 for iPod touch, and other platforms; KHTML in kdelibs in KDE; QtWebKit (aka Qt toolkit); and possibly other products do not properly handle numeric character references, which allows… | |||
| CVE-2009-2421 | 0.00 | — | 0.03 | Jul 9, 2009 | The CFCharacterSetInitInlineBuffer method in CoreFoundation.dll in Apple Safari 3.2.3 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via a "high-bit character" in a URL fragment for an… | |||
| CVE-2009-2420 | 0.00 | — | 0.01 | Jul 9, 2009 | Apple Safari 3.2.3 does not properly implement the file: protocol handler, which allows remote attackers to read arbitrary files or cause a denial of service (launch of multiple Windows Explorer instances) via vectors involving an unspecified HTML tag, possibly a related issue… | |||
| CVE-2009-1692 | 0.00 | — | 0.04 | Jun 19, 2009 | WebKit before r41741, as used in Apple iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Safari, and other software, allows remote attackers to cause a denial of service (memory consumption or device reset) via a web page containing an HTMLSelectElement… | |||
| CVE-2009-1680 | 0.00 | — | 0.00 | Jun 19, 2009 | Safari in Apple iPhone OS 1.0 through 2.2.1 and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly clear the search history when it is cleared from the Settings application, which allows physically proximate attackers to obtain the search history. | |||
| CVE-2009-2072 | 0.00 | — | 0.00 | Jun 15, 2009 | Apple Safari does not require a cached certificate before displaying a lock icon for an https web site, which allows man-in-the-middle attackers to spoof an arbitrary https site by sending the browser a crafted (1) 4xx or (2) 5xx CONNECT response page for an https request sent… | |||
| CVE-2009-2066 | 0.00 | — | 0.01 | Jun 15, 2009 | Apple Safari detects http content in https web pages only when the top-level frame uses https, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying an http page to include an https iframe that references a script file… | |||
| CVE-2009-2062 | 0.00 | — | 0.01 | Jun 15, 2009 | Apple Safari before 3.2.2 processes a 3xx HTTP CONNECT response before a successful SSL handshake, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying this CONNECT response to specify a 302 redirect to an arbitrary… | |||
| CVE-2009-2058 | 0.00 | — | 0.01 | Jun 15, 2009 | Apple Safari before 3.2.2 uses the HTTP Host header to determine the context of a document provided in a (1) 4xx or (2) 5xx CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an… | |||
| CVE-2009-2027 | 0.00 | — | 0.00 | Jun 10, 2009 | The Installer in Apple Safari before 4.0 on Windows allows local users to gain privileges by checking a box that specifies an immediate launch of the application after installation, related to an unspecified compression method. | |||
| CVE-2009-1718 | 0.00 | — | 0.02 | Jun 10, 2009 | WebKit in Apple Safari before 4.0 allows user-assisted remote attackers to obtain sensitive information via vectors involving drag events and the dragging of content over a crafted web page. | |||
| CVE-2009-1716 | 0.00 | — | 0.00 | Jun 10, 2009 | CFNetwork in Apple Safari before 4.0 on Windows does not properly protect the temporary files created for downloads, which allows local users to obtain sensitive information by reading these files. | |||
| CVE-2009-1715 | 0.00 | — | 0.04 | Jun 10, 2009 | Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in Apple Safari before 4.0 allows user-assisted remote attackers to inject arbitrary web script or HTML, and read local files, via vectors related to script execution with incorrect privileges. | |||
| CVE-2009-1714 | 0.00 | — | 0.03 | Jun 10, 2009 | Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in Apple Safari before 4.0 allows user-assisted remote attackers to inject arbitrary web script or HTML, and read local files, via vectors related to the improper escaping of HTML attributes. | |||
| CVE-2009-1713 | 0.00 | — | 0.02 | Jun 10, 2009 | The XSLT functionality in WebKit in Apple Safari before 4.0 does not properly implement the document function, which allows remote attackers to read (1) arbitrary local files and (2) files from different security zones via unspecified vectors. | |||
| CVE-2009-1710 | 0.00 | — | 0.03 | Jun 10, 2009 | WebKit in Apple Safari before 4.0 allows remote attackers to spoof the browser's display of (1) the host name, (2) security indicators, and unspecified other UI elements via a custom cursor in conjunction with a modified CSS3 hotspot property. | |||
| CVE-2009-1708 | 0.00 | — | 0.05 | Jun 10, 2009 | Apple Safari before 4.0 does not prevent calls to the open-help-anchor URL handler by web sites, which allows remote attackers to open arbitrary local help files, and execute arbitrary code or obtain sensitive information, via a crafted call. | |||
| CVE-2009-1707 | 0.00 | — | 0.00 | Jun 10, 2009 | Race condition in the Reset Safari implementation in Apple Safari before 4.0 on Windows might allow local users to read stored web-site passwords via unspecified vectors. |
- CVE-2009-2196Aug 12, 2009risk 0.00cvss —epss 0.05
Unspecified vulnerability in Apple Safari 4 before 4.0.3 allows remote web servers to place an arbitrary web site in the Top Sites view, and possibly conduct phishing attacks, via unknown vectors.
- CVE-2009-2198Aug 4, 2009risk 0.00cvss —epss 0.02
Apple GarageBand before 5.1 reconfigures Safari to accept all cookies regardless of domain name, which makes it easier for remote web servers to track users.
- CVE-2009-1725Jul 9, 2009risk 0.00cvss —epss 0.06
WebKit in Apple Safari before 4.0.2, as used on iPhone OS before 3.1, iPhone OS before 3.1.1 for iPod touch, and other platforms; KHTML in kdelibs in KDE; QtWebKit (aka Qt toolkit); and possibly other products do not properly handle numeric character references, which allows…
- CVE-2009-2421Jul 9, 2009risk 0.00cvss —epss 0.03
The CFCharacterSetInitInlineBuffer method in CoreFoundation.dll in Apple Safari 3.2.3 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via a "high-bit character" in a URL fragment for an…
- CVE-2009-2420Jul 9, 2009risk 0.00cvss —epss 0.01
Apple Safari 3.2.3 does not properly implement the file: protocol handler, which allows remote attackers to read arbitrary files or cause a denial of service (launch of multiple Windows Explorer instances) via vectors involving an unspecified HTML tag, possibly a related issue…
- CVE-2009-1692Jun 19, 2009risk 0.00cvss —epss 0.04
WebKit before r41741, as used in Apple iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Safari, and other software, allows remote attackers to cause a denial of service (memory consumption or device reset) via a web page containing an HTMLSelectElement…
- CVE-2009-1680Jun 19, 2009risk 0.00cvss —epss 0.00
Safari in Apple iPhone OS 1.0 through 2.2.1 and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly clear the search history when it is cleared from the Settings application, which allows physically proximate attackers to obtain the search history.
- CVE-2009-2072Jun 15, 2009risk 0.00cvss —epss 0.00
Apple Safari does not require a cached certificate before displaying a lock icon for an https web site, which allows man-in-the-middle attackers to spoof an arbitrary https site by sending the browser a crafted (1) 4xx or (2) 5xx CONNECT response page for an https request sent…
- CVE-2009-2066Jun 15, 2009risk 0.00cvss —epss 0.01
Apple Safari detects http content in https web pages only when the top-level frame uses https, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying an http page to include an https iframe that references a script file…
- CVE-2009-2062Jun 15, 2009risk 0.00cvss —epss 0.01
Apple Safari before 3.2.2 processes a 3xx HTTP CONNECT response before a successful SSL handshake, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying this CONNECT response to specify a 302 redirect to an arbitrary…
- CVE-2009-2058Jun 15, 2009risk 0.00cvss —epss 0.01
Apple Safari before 3.2.2 uses the HTTP Host header to determine the context of a document provided in a (1) 4xx or (2) 5xx CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an…
- CVE-2009-2027Jun 10, 2009risk 0.00cvss —epss 0.00
The Installer in Apple Safari before 4.0 on Windows allows local users to gain privileges by checking a box that specifies an immediate launch of the application after installation, related to an unspecified compression method.
- CVE-2009-1718Jun 10, 2009risk 0.00cvss —epss 0.02
WebKit in Apple Safari before 4.0 allows user-assisted remote attackers to obtain sensitive information via vectors involving drag events and the dragging of content over a crafted web page.
- CVE-2009-1716Jun 10, 2009risk 0.00cvss —epss 0.00
CFNetwork in Apple Safari before 4.0 on Windows does not properly protect the temporary files created for downloads, which allows local users to obtain sensitive information by reading these files.
- CVE-2009-1715Jun 10, 2009risk 0.00cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in Apple Safari before 4.0 allows user-assisted remote attackers to inject arbitrary web script or HTML, and read local files, via vectors related to script execution with incorrect privileges.
- CVE-2009-1714Jun 10, 2009risk 0.00cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in Web Inspector in WebKit in Apple Safari before 4.0 allows user-assisted remote attackers to inject arbitrary web script or HTML, and read local files, via vectors related to the improper escaping of HTML attributes.
- CVE-2009-1713Jun 10, 2009risk 0.00cvss —epss 0.02
The XSLT functionality in WebKit in Apple Safari before 4.0 does not properly implement the document function, which allows remote attackers to read (1) arbitrary local files and (2) files from different security zones via unspecified vectors.
- CVE-2009-1710Jun 10, 2009risk 0.00cvss —epss 0.03
WebKit in Apple Safari before 4.0 allows remote attackers to spoof the browser's display of (1) the host name, (2) security indicators, and unspecified other UI elements via a custom cursor in conjunction with a modified CSS3 hotspot property.
- CVE-2009-1708Jun 10, 2009risk 0.00cvss —epss 0.05
Apple Safari before 4.0 does not prevent calls to the open-help-anchor URL handler by web sites, which allows remote attackers to open arbitrary local help files, and execute arbitrary code or obtain sensitive information, via a crafted call.
- CVE-2009-1707Jun 10, 2009risk 0.00cvss —epss 0.00
Race condition in the Reset Safari implementation in Apple Safari before 4.0 on Windows might allow local users to read stored web-site passwords via unspecified vectors.
Page 75 of 81