OS X

CVEs (545)

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2016-4639	Apple Inc. Mac Os X	Hig	0.46	7.0	0.00	Jul 22, 2016	Login Window in Apple OS X before 10.11.6 does not properly initialize memory, which allows local users to cause a denial of service via unspecified vectors.
CVE-2016-1734	Apple Inc. Mac Os X	Med	0.44	6.8	0.00	Mar 24, 2016	AppleUSBNetworking in Apple iOS before 9.3 and OS X before 10.11.4 allows physically proximate attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted USB device.
CVE-2015-7024	Apple Inc. Mac Os X	Med	0.44	6.7	0.00	Jan 11, 2016	Untrusted search path vulnerability in Apple OS X before 10.11.1 allows local users to bypass intended Gatekeeper restrictions and gain privileges via a Trojan horse program that is loaded from an unexpected directory by an application that has a valid Apple digital signature.
CVE-2016-4708	Apple Inc. Mac Os X	Med	0.43	6.5	0.04	Sep 25, 2016	CFNetwork in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 misparses the Set-Cookie header, which allows remote attackers to obtain sensitive information via a crafted HTTP response.
CVE-2016-4718	Apple Inc. Mac Os X	Med	0.42	6.5	0.02	Sep 25, 2016	Buffer overflow in FontParser in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to obtain sensitive information from process memory via a crafted font file.
CVE-2016-4646	Apple Inc. Mac Os X	Med	0.42	6.5	0.01	Jul 22, 2016	Audio in Apple OS X before 10.11.6 mishandles a size value, which allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read) via a crafted audio file.
CVE-2016-1811	Apple Inc. Mac Os X	Med	0.42	6.5	0.01	May 20, 2016	ImageIO in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted image.
CVE-2016-1770	Apple Inc. Mac Os X	Med	0.42	6.5	0.00	Mar 24, 2016	The Reminders component in Apple OS X before 10.11.4 allows attackers to bypass an intended user-confirmation requirement and trigger a dialing action via a tel: URL.
CVE-2016-4652	Apple Inc. Mac Os X	Med	0.41	6.3	0.00	Jul 22, 2016	CoreGraphics in Apple OS X before 10.11.6 allows local users to obtain sensitive information from kernel memory and consequently gain privileges, or cause a denial of service (out-of-bounds read), via unspecified vectors.
CVE-2016-1737	Apple Inc. Mac Os X	Med	0.41	6.3	0.01	Mar 24, 2016	Carbon in Apple OS X before 10.11.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted .dfont file.
CVE-2016-4701	Apple Inc. Swift	Med	0.40	6.2	0.00	Sep 25, 2016	Application Firewall in Apple OS X before 10.12 allows local users to cause a denial of service via vectors involving a crafted SO_EXECPATH environment variable.
CVE-2016-1788	Apple Inc. Mac Os X	Med	0.38	5.9	0.01	Mar 24, 2016	Messages in Apple iOS before 9.3, OS X before 10.11.4, and watchOS before 2.2 does not properly implement a cryptographic protection mechanism, which allows remote attackers to read message attachments via vectors related to duplicate messages.
CVE-2016-4771	Apple Inc. iOS	Med	0.36	5.5	0.00	Sep 25, 2016	The kernel in Apple iOS before 10 and OS X before 10.12 allows local users to bypass intended file-access restrictions via a crafted directory pathname.
CVE-2016-4755	Apple Inc. Mac Os X	Med	0.36	5.5	0.00	Sep 25, 2016	Terminal in Apple OS X before 10.12 uses weak permissions for the .bash_history and .bash_session files, which allows local users to obtain sensitive information via unspecified vectors.
CVE-2016-4752	Apple Inc. Mac Os X	Med	0.36	5.5	0.00	Sep 25, 2016	The SecKeyDeriveFromPassword function in Apple OS X before 10.12 does not use the CF_RETURNS_RETAINED keyword, which allows attackers to obtain sensitive information from process memory by triggering key derivation.
CVE-2016-4742	Apple Inc. Mac Os X	Med	0.36	5.5	0.00	Sep 25, 2016	NSSecureTextField in Apple OS X before 10.12 does not enable Secure Input, which allows attackers to discover credentials via a crafted app.
CVE-2016-4706	Apple Inc. Mac Os X	Med	0.36	5.5	0.00	Sep 25, 2016	cd9660 in Apple OS X before 10.12 allows local users to cause a denial of service via unspecified vectors.
CVE-2016-4649	Apple Inc. Mac Os X	Med	0.36	5.5	0.00	Jul 22, 2016	Audio in Apple OS X before 10.11.6 allows local users to cause a denial of service (NULL pointer dereference) via unspecified vectors.
CVE-2016-4648	Apple Inc. Mac Os X	Med	0.36	5.5	0.00	Jul 22, 2016	Audio in Apple OS X before 10.11.6 allows local users to obtain sensitive kernel memory-layout information or cause a denial of service (out-of-bounds read) via unspecified vectors.
CVE-2016-1865	Apple Inc. Mac Os X	Med	0.36	5.5	0.00	Jul 22, 2016	The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows local users to cause a denial of service (NULL pointer dereference) via unspecified vectors.

CVE-2016-4639HigJul 22, 2016
Apple Inc.
Mac Os X
risk 0.46cvss 7.0epss 0.00
Login Window in Apple OS X before 10.11.6 does not properly initialize memory, which allows local users to cause a denial of service via unspecified vectors.
CVE-2016-1734MedMar 24, 2016
Apple Inc.
Mac Os X
risk 0.44cvss 6.8epss 0.00
AppleUSBNetworking in Apple iOS before 9.3 and OS X before 10.11.4 allows physically proximate attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted USB device.
CVE-2015-7024MedJan 11, 2016
Apple Inc.
Mac Os X
risk 0.44cvss 6.7epss 0.00
Untrusted search path vulnerability in Apple OS X before 10.11.1 allows local users to bypass intended Gatekeeper restrictions and gain privileges via a Trojan horse program that is loaded from an unexpected directory by an application that has a valid Apple digital signature.
CVE-2016-4708MedSep 25, 2016
Apple Inc.
Mac Os X
risk 0.43cvss 6.5epss 0.04
CFNetwork in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 misparses the Set-Cookie header, which allows remote attackers to obtain sensitive information via a crafted HTTP response.
CVE-2016-4718MedSep 25, 2016
Apple Inc.
Mac Os X
risk 0.42cvss 6.5epss 0.02
Buffer overflow in FontParser in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to obtain sensitive information from process memory via a crafted font file.
CVE-2016-4646MedJul 22, 2016
Apple Inc.
Mac Os X
risk 0.42cvss 6.5epss 0.01
Audio in Apple OS X before 10.11.6 mishandles a size value, which allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read) via a crafted audio file.
CVE-2016-1811MedMay 20, 2016
Apple Inc.
Mac Os X
risk 0.42cvss 6.5epss 0.01
ImageIO in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted image.
CVE-2016-1770MedMar 24, 2016
Apple Inc.
Mac Os X
risk 0.42cvss 6.5epss 0.00
The Reminders component in Apple OS X before 10.11.4 allows attackers to bypass an intended user-confirmation requirement and trigger a dialing action via a tel: URL.
CVE-2016-4652MedJul 22, 2016
Apple Inc.
Mac Os X
risk 0.41cvss 6.3epss 0.00
CoreGraphics in Apple OS X before 10.11.6 allows local users to obtain sensitive information from kernel memory and consequently gain privileges, or cause a denial of service (out-of-bounds read), via unspecified vectors.
CVE-2016-1737MedMar 24, 2016
Apple Inc.
Mac Os X
risk 0.41cvss 6.3epss 0.01
Carbon in Apple OS X before 10.11.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted .dfont file.
CVE-2016-4701MedSep 25, 2016
Apple Inc.
Swift
risk 0.40cvss 6.2epss 0.00
Application Firewall in Apple OS X before 10.12 allows local users to cause a denial of service via vectors involving a crafted SO_EXECPATH environment variable.
CVE-2016-1788MedMar 24, 2016
Apple Inc.
Mac Os X
risk 0.38cvss 5.9epss 0.01
Messages in Apple iOS before 9.3, OS X before 10.11.4, and watchOS before 2.2 does not properly implement a cryptographic protection mechanism, which allows remote attackers to read message attachments via vectors related to duplicate messages.
CVE-2016-4771MedSep 25, 2016
Apple Inc.
iOS
risk 0.36cvss 5.5epss 0.00
The kernel in Apple iOS before 10 and OS X before 10.12 allows local users to bypass intended file-access restrictions via a crafted directory pathname.
CVE-2016-4755MedSep 25, 2016
Apple Inc.
Mac Os X
risk 0.36cvss 5.5epss 0.00
Terminal in Apple OS X before 10.12 uses weak permissions for the .bash_history and .bash_session files, which allows local users to obtain sensitive information via unspecified vectors.
CVE-2016-4752MedSep 25, 2016
Apple Inc.
Mac Os X
risk 0.36cvss 5.5epss 0.00
The SecKeyDeriveFromPassword function in Apple OS X before 10.12 does not use the CF_RETURNS_RETAINED keyword, which allows attackers to obtain sensitive information from process memory by triggering key derivation.
CVE-2016-4742MedSep 25, 2016
Apple Inc.
Mac Os X
risk 0.36cvss 5.5epss 0.00
NSSecureTextField in Apple OS X before 10.12 does not enable Secure Input, which allows attackers to discover credentials via a crafted app.
CVE-2016-4706MedSep 25, 2016
Apple Inc.
Mac Os X
risk 0.36cvss 5.5epss 0.00
cd9660 in Apple OS X before 10.12 allows local users to cause a denial of service via unspecified vectors.
CVE-2016-4649MedJul 22, 2016
Apple Inc.
Mac Os X
risk 0.36cvss 5.5epss 0.00
Audio in Apple OS X before 10.11.6 allows local users to cause a denial of service (NULL pointer dereference) via unspecified vectors.
CVE-2016-4648MedJul 22, 2016
Apple Inc.
Mac Os X
risk 0.36cvss 5.5epss 0.00
Audio in Apple OS X before 10.11.6 allows local users to obtain sensitive kernel memory-layout information or cause a denial of service (out-of-bounds read) via unspecified vectors.
CVE-2016-1865MedJul 22, 2016
Apple Inc.
Mac Os X
risk 0.36cvss 5.5epss 0.00
The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows local users to cause a denial of service (NULL pointer dereference) via unspecified vectors.

Page 7 of 28