Vendor CVEs
Apple Inc.
All CVEs
8,452 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-4752 | Med | 0.36 | 5.5 | 0.01 | Sep 25, 2016 | The SecKeyDeriveFromPassword function in Apple OS X before 10.12 does not use the CF_RETURNS_RETAINED keyword, which allows attackers to obtain sensitive information from process memory by triggering key derivation. | ||
| CVE-2016-4742 | Med | 0.36 | 5.5 | 0.01 | Sep 25, 2016 | NSSecureTextField in Apple OS X before 10.12 does not enable Secure Input, which allows attackers to discover credentials via a crafted app. | ||
| CVE-2016-4706 | Med | 0.36 | 5.5 | 0.00 | Sep 25, 2016 | cd9660 in Apple OS X before 10.12 allows local users to cause a denial of service via unspecified vectors. | ||
| CVE-2016-4719 | Med | 0.36 | 5.5 | 0.01 | Sep 18, 2016 | The GeoServices component in Apple iOS before 10 and watchOS before 3 does not properly restrict access to PlaceData information, which allows attackers to discover physical locations via a crafted application. | ||
| CVE-2016-7153 | Med | 0.36 | 5.3 | 0.14 | Sep 6, 2016 | The HTTP/2 protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a… | ||
| CVE-2016-7152 | Med | 0.36 | 5.3 | 0.14 | Sep 6, 2016 | The HTTPS protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a… | ||
| CVE-2016-4649 | Med | 0.36 | 5.5 | 0.00 | Jul 22, 2016 | Audio in Apple OS X before 10.11.6 allows local users to cause a denial of service (NULL pointer dereference) via unspecified vectors. | ||
| CVE-2016-4648 | Med | 0.36 | 5.5 | 0.00 | Jul 22, 2016 | Audio in Apple OS X before 10.11.6 allows local users to obtain sensitive kernel memory-layout information or cause a denial of service (out-of-bounds read) via unspecified vectors. | ||
| CVE-2016-4628 | Med | 0.36 | 5.5 | 0.00 | Jul 22, 2016 | IOAcceleratorFamily in Apple iOS before 9.3.3 and watchOS before 2.2.2 allows local users to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) via unspecified vectors. | ||
| CVE-2016-1865 | Med | 0.36 | 5.5 | 0.00 | Jul 22, 2016 | The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows local users to cause a denial of service (NULL pointer dereference) via unspecified vectors. | ||
| CVE-2016-1814 | Med | 0.36 | 5.5 | 0.01 | May 20, 2016 | IOAcceleratorFamily in Apple iOS before 9.3.2, OS X before 10.11.5, and tvOS before 9.2.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted app. | ||
| CVE-2016-1807 | Med | 0.36 | 5.1 | 0.01 | May 20, 2016 | Race condition in the Disk Images subsystem in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows local users to obtain sensitive information from kernel memory via unspecified vectors. | ||
| CVE-2016-1802 | Med | 0.36 | 5.5 | 0.01 | May 20, 2016 | CCCrypt in CommonCrypto in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 mishandles return values during key-length calculations, which allows attackers to obtain sensitive information via a crafted app. | ||
| CVE-2016-1789 | Med | 0.36 | 5.5 | 0.01 | Apr 5, 2016 | Apple iBooks Author before 2.4.1 allows remote attackers to read arbitrary files via an iBooks Author file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | ||
| CVE-2016-1752 | Med | 0.36 | 5.5 | 0.01 | Mar 24, 2016 | The kernel in Apple iOS before 9.3, OS X before 10.11.4, tvOS before 9.2, and watchOS before 2.2 allows attackers to cause a denial of service via a crafted app. | ||
| CVE-2016-1745 | Med | 0.36 | 5.5 | 0.00 | Mar 24, 2016 | IOFireWireFamily in Apple OS X before 10.11.4 allows local users to cause a denial of service (NULL pointer dereference) via unspecified vectors. | ||
| CVE-2016-1732 | Med | 0.36 | 5.5 | 0.00 | Mar 24, 2016 | AppleRAID in Apple OS X before 10.11.4 allows local users to obtain sensitive kernel memory-layout information or cause a denial of service (out-of-bounds read) via unspecified vectors. | ||
| CVE-2014-4373 | Med | 0.36 | 5.5 | 0.01 | Sep 18, 2014 | The IntelAccelerator driver in the IOAcceleratorFamily subsystem in Apple iOS before 8 and Apple TV before 7 allows attackers to cause a denial of service (NULL pointer dereference and device restart) via a crafted application. | ||
| CVE-2014-4364 | Med | 0.36 | 5.6 | 0.01 | Sep 18, 2014 | The 802.1X subsystem in Apple iOS before 8 and Apple TV before 7 does not require strong authentication methods, which allows remote attackers to calculate credentials by offering LEAP authentication from a crafted Wi-Fi AP and then performing a cryptographic attack against the… | ||
| CVE-2009-0141 | Med | 0.36 | 5.5 | 0.00 | Feb 13, 2009 | XTerm in Apple Mac OS X 10.4.11 and 10.5.6, when used with luit, creates tty devices with insecure world-writable permissions, which allows local users to write to the Xterm of another user. | ||
| CVE-2026-28819 | Med | 0.35 | 5.4 | 0.07 | May 11, 2026 | An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to execute arbitrary code with kernel privileges. | ||
| CVE-2026-28909 | Med | 0.35 | 6.5 | 0.00 | Apr 30, 2026 | Users who connect to malicious registries with hostnames matching the bypass patterns will have their registry credentials exposed in plaintext. This issue is fixed in container version 0.12.3. | ||
| CVE-2025-43495 | Med | 0.35 | 5.4 | 0.00 | Nov 4, 2025 | The issue was addressed with improved checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1. An app may be able to monitor keystrokes without user permission. | ||
| CVE-2025-31254 | Med | 0.35 | 5.4 | 0.00 | Sep 15, 2025 | This issue was addressed with improved URL validation. This issue is fixed in Safari 26, iOS 26 and iPadOS 26. Processing maliciously crafted web content may lead to unexpected URL redirection. | ||
| CVE-2025-31241 | Med | 0.35 | 5.3 | 0.01 | May 12, 2025 | A double free issue was addressed with improved memory management. This issue is fixed in iOS 18.5 and iPadOS 18.5, iPadOS 17.7.7, macOS Sequoia 15.5, macOS Sonoma 14.7.6, macOS Ventura 13.7.6, tvOS 18.5, visionOS 2.5, watchOS 11.5. A remote attacker may cause an unexpected app… | ||
| CVE-2025-24271 | Med | 0.35 | 5.4 | 0.00 | Apr 29, 2025 | An access issue was addressed with improved access restrictions. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4. An unauthenticated user on the same network as a signed-in Mac… | ||
| CVE-2023-42981 | Med | 0.35 | 5.4 | 0.00 | Apr 11, 2025 | Processing a file may lead to a denial-of-service or potentially disclose memory contents. This issue is fixed in macOS 14. The issue was addressed with improved checks. | ||
| CVE-2025-30428 | Med | 0.35 | 5.4 | 0.00 | Mar 31, 2025 | This issue was addressed through improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6. Photos in the Hidden Photos Album may be viewed without authentication. | ||
| CVE-2024-54466 | Med | 0.35 | 5.3 | 0.01 | Dec 12, 2024 | An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2. An encrypted volume may be accessed by a different user without prompting for the password. | ||
| CVE-2024-44246 | Med | 0.35 | 5.3 | 0.01 | Dec 12, 2024 | The issue was addressed with improved routing of Safari-originated requests. This issue is fixed in Safari 18.2, iOS 18.2 and iPadOS 18.2, iPadOS 17.7.3, macOS Sequoia 15.2. On a device with Private Relay enabled, adding a website to the Safari Reading List may reveal the… | ||
| CVE-2024-44296 | Med | 0.35 | 5.4 | 0.01 | Oct 28, 2024 | The issue was addressed with improved checks. This issue is fixed in Safari 18.1, iOS 17.7.1 and iPadOS 17.7.1, iOS 18.1 and iPadOS 18.1, macOS Sequoia 15.1, tvOS 18.1, visionOS 2.1, watchOS 11.1. Processing maliciously crafted web content may prevent Content Security Policy… | ||
| CVE-2024-44229 | Med | 0.35 | 5.3 | 0.01 | Oct 28, 2024 | An information leakage was addressed with additional validation. This issue is fixed in Safari 18.1, iOS 18.1 and iPadOS 18.1, macOS Sequoia 15.1, visionOS 2.1. Private browsing may leak some browsing history. | ||
| CVE-2024-40796 | Med | 0.35 | 5.3 | 0.01 | Jul 29, 2024 | A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. Private browsing may leak some browsing history. | ||
| CVE-2024-40794 | Med | 0.35 | 5.3 | 0.01 | Jul 29, 2024 | This issue was addressed through improved state management. This issue is fixed in Safari 17.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. Private Browsing tabs may be accessed without authentication. | ||
| CVE-2024-27881 | Med | 0.35 | 5.3 | 0.01 | Jul 29, 2024 | A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. An app may be able to access information about a user’s contacts. | ||
| CVE-2024-24787 | Med | 0.35 | 6.4 | 0.01 | May 8, 2024 | On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive. | ||
| CVE-2023-42923 | Med | 0.35 | 5.3 | 0.01 | Dec 12, 2023 | This issue was addressed through improved state management. This issue is fixed in iOS 17.2 and iPadOS 17.2. Private Browsing tabs may be accessed without authentication. | ||
| CVE-2023-42846 | Med | 0.35 | 5.3 | 0.01 | Oct 25, 2023 | This issue was addressed by removing the vulnerable code. This issue is fixed in watchOS 10.1, iOS 16.7.2 and iPadOS 16.7.2, tvOS 17.1, iOS 17.1 and iPadOS 17.1. A device may be passively tracked by its Wi-Fi MAC address. | ||
| CVE-2023-42845 | Med | 0.35 | 5.3 | 0.01 | Oct 25, 2023 | An authentication issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.1, iOS 17.1 and iPadOS 17.1. Photos in the Hidden Photos Album may be viewed without authentication. | ||
| CVE-2023-40408 | Med | 0.35 | 5.3 | 0.01 | Oct 25, 2023 | An inconsistent user interface issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.1, watchOS 10.1, iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1. Hide My Email may be deactivated unexpectedly. | ||
| CVE-2023-40417 | Med | 0.35 | 5.4 | 0.01 | Sep 27, 2023 | A window management issue was addressed with improved state management. This issue is fixed in Safari 17, iOS 17 and iPadOS 17, watchOS 10, macOS Sonoma 14. Visiting a website that frames malicious content may lead to UI spoofing. | ||
| CVE-2023-32370 | Med | 0.35 | 5.3 | 0.01 | Sep 6, 2023 | A logic issue was addressed with improved validation. This issue is fixed in macOS Ventura 13.3. Content Security Policy to block domains with wildcards may fail. | ||
| CVE-2022-32943 | Med | 0.35 | 5.3 | 0.01 | Dec 15, 2022 | The issue was addressed with improved bounds checks. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1. Shake-to-undo may allow a deleted photo to be re-surfaced without authentication. | ||
| CVE-2022-32938 | Med | 0.35 | 5.3 | 0.01 | Nov 1, 2022 | A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in iOS 16.1 and iPadOS 16, macOS Ventura 13. A shortcut may be able to check the existence of an arbitrary path on the file system. | ||
| CVE-2022-32928 | Med | 0.35 | 5.3 | 0.01 | Nov 1, 2022 | A logic issue was addressed with improved restrictions. This issue is fixed in iOS 16, macOS Ventura 13, watchOS 9. A user in a privileged network position may be able to intercept mail credentials. | ||
| CVE-2022-26725 | Med | 0.35 | 5.3 | 0.01 | May 26, 2022 | A logic issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.4. Photo location information may persist after it is removed with Preview Inspector. | ||
| CVE-2021-30667 | Med | 0.35 | 5.4 | 0.00 | Sep 8, 2021 | A logic issue was addressed with improved validation. This issue is fixed in iOS 14.6 and iPadOS 14.6. An attacker in WiFi range may be able to force a client to use a less secure authentication mechanism. | ||
| CVE-2021-30720 | Med | 0.35 | 5.4 | 0.01 | Sep 8, 2021 | A logic issue was addressed with improved restrictions. This issue is fixed in tvOS 14.6, iOS 14.6 and iPadOS 14.6, Safari 14.1.1, macOS Big Sur 11.4, watchOS 7.5. A malicious website may be able to access restricted ports on arbitrary servers. | ||
| CVE-2021-30930 | Med | 0.35 | 5.3 | 0.01 | Aug 24, 2021 | A logic issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.0.1. An attacker may be able to track users through their IP address. | ||
| CVE-2021-30904 | Med | 0.35 | 5.3 | 0.01 | Aug 24, 2021 | A sync issue was addressed with improved state validation. This issue is fixed in macOS Monterey 12.0.1. A user's messages may continue to sync after the user has signed out of iMessage. |
- risk 0.36cvss 5.5epss 0.01
The SecKeyDeriveFromPassword function in Apple OS X before 10.12 does not use the CF_RETURNS_RETAINED keyword, which allows attackers to obtain sensitive information from process memory by triggering key derivation.
- risk 0.36cvss 5.5epss 0.01
NSSecureTextField in Apple OS X before 10.12 does not enable Secure Input, which allows attackers to discover credentials via a crafted app.
- risk 0.36cvss 5.5epss 0.00
cd9660 in Apple OS X before 10.12 allows local users to cause a denial of service via unspecified vectors.
- risk 0.36cvss 5.5epss 0.01
The GeoServices component in Apple iOS before 10 and watchOS before 3 does not properly restrict access to PlaceData information, which allows attackers to discover physical locations via a crafted application.
- risk 0.36cvss 5.3epss 0.14
The HTTP/2 protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a…
- risk 0.36cvss 5.3epss 0.14
The HTTPS protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a…
- risk 0.36cvss 5.5epss 0.00
Audio in Apple OS X before 10.11.6 allows local users to cause a denial of service (NULL pointer dereference) via unspecified vectors.
- risk 0.36cvss 5.5epss 0.00
Audio in Apple OS X before 10.11.6 allows local users to obtain sensitive kernel memory-layout information or cause a denial of service (out-of-bounds read) via unspecified vectors.
- risk 0.36cvss 5.5epss 0.00
IOAcceleratorFamily in Apple iOS before 9.3.3 and watchOS before 2.2.2 allows local users to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) via unspecified vectors.
- risk 0.36cvss 5.5epss 0.00
The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows local users to cause a denial of service (NULL pointer dereference) via unspecified vectors.
- risk 0.36cvss 5.5epss 0.01
IOAcceleratorFamily in Apple iOS before 9.3.2, OS X before 10.11.5, and tvOS before 9.2.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted app.
- risk 0.36cvss 5.1epss 0.01
Race condition in the Disk Images subsystem in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows local users to obtain sensitive information from kernel memory via unspecified vectors.
- risk 0.36cvss 5.5epss 0.01
CCCrypt in CommonCrypto in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 mishandles return values during key-length calculations, which allows attackers to obtain sensitive information via a crafted app.
- risk 0.36cvss 5.5epss 0.01
Apple iBooks Author before 2.4.1 allows remote attackers to read arbitrary files via an iBooks Author file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
- risk 0.36cvss 5.5epss 0.01
The kernel in Apple iOS before 9.3, OS X before 10.11.4, tvOS before 9.2, and watchOS before 2.2 allows attackers to cause a denial of service via a crafted app.
- risk 0.36cvss 5.5epss 0.00
IOFireWireFamily in Apple OS X before 10.11.4 allows local users to cause a denial of service (NULL pointer dereference) via unspecified vectors.
- risk 0.36cvss 5.5epss 0.00
AppleRAID in Apple OS X before 10.11.4 allows local users to obtain sensitive kernel memory-layout information or cause a denial of service (out-of-bounds read) via unspecified vectors.
- risk 0.36cvss 5.5epss 0.01
The IntelAccelerator driver in the IOAcceleratorFamily subsystem in Apple iOS before 8 and Apple TV before 7 allows attackers to cause a denial of service (NULL pointer dereference and device restart) via a crafted application.
- risk 0.36cvss 5.6epss 0.01
The 802.1X subsystem in Apple iOS before 8 and Apple TV before 7 does not require strong authentication methods, which allows remote attackers to calculate credentials by offering LEAP authentication from a crafted Wi-Fi AP and then performing a cryptographic attack against the…
- risk 0.36cvss 5.5epss 0.00
XTerm in Apple Mac OS X 10.4.11 and 10.5.6, when used with luit, creates tty devices with insecure world-writable permissions, which allows local users to write to the Xterm of another user.
- risk 0.35cvss 5.4epss 0.07
An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to execute arbitrary code with kernel privileges.
- risk 0.35cvss 6.5epss 0.00
Users who connect to malicious registries with hostnames matching the bypass patterns will have their registry credentials exposed in plaintext. This issue is fixed in container version 0.12.3.
- risk 0.35cvss 5.4epss 0.00
The issue was addressed with improved checks. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1. An app may be able to monitor keystrokes without user permission.
- risk 0.35cvss 5.4epss 0.00
This issue was addressed with improved URL validation. This issue is fixed in Safari 26, iOS 26 and iPadOS 26. Processing maliciously crafted web content may lead to unexpected URL redirection.
- risk 0.35cvss 5.3epss 0.01
A double free issue was addressed with improved memory management. This issue is fixed in iOS 18.5 and iPadOS 18.5, iPadOS 17.7.7, macOS Sequoia 15.5, macOS Sonoma 14.7.6, macOS Ventura 13.7.6, tvOS 18.5, visionOS 2.5, watchOS 11.5. A remote attacker may cause an unexpected app…
- risk 0.35cvss 5.4epss 0.00
An access issue was addressed with improved access restrictions. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4. An unauthenticated user on the same network as a signed-in Mac…
- risk 0.35cvss 5.4epss 0.00
Processing a file may lead to a denial-of-service or potentially disclose memory contents. This issue is fixed in macOS 14. The issue was addressed with improved checks.
- risk 0.35cvss 5.4epss 0.00
This issue was addressed through improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6. Photos in the Hidden Photos Album may be viewed without authentication.
- risk 0.35cvss 5.3epss 0.01
An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.2, macOS Sonoma 14.7.2, macOS Ventura 13.7.2. An encrypted volume may be accessed by a different user without prompting for the password.
- risk 0.35cvss 5.3epss 0.01
The issue was addressed with improved routing of Safari-originated requests. This issue is fixed in Safari 18.2, iOS 18.2 and iPadOS 18.2, iPadOS 17.7.3, macOS Sequoia 15.2. On a device with Private Relay enabled, adding a website to the Safari Reading List may reveal the…
- risk 0.35cvss 5.4epss 0.01
The issue was addressed with improved checks. This issue is fixed in Safari 18.1, iOS 17.7.1 and iPadOS 17.7.1, iOS 18.1 and iPadOS 18.1, macOS Sequoia 15.1, tvOS 18.1, visionOS 2.1, watchOS 11.1. Processing maliciously crafted web content may prevent Content Security Policy…
- risk 0.35cvss 5.3epss 0.01
An information leakage was addressed with additional validation. This issue is fixed in Safari 18.1, iOS 18.1 and iPadOS 18.1, macOS Sequoia 15.1, visionOS 2.1. Private browsing may leak some browsing history.
- risk 0.35cvss 5.3epss 0.01
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in iOS 16.7.9 and iPadOS 16.7.9, macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. Private browsing may leak some browsing history.
- risk 0.35cvss 5.3epss 0.01
This issue was addressed through improved state management. This issue is fixed in Safari 17.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. Private Browsing tabs may be accessed without authentication.
- risk 0.35cvss 5.3epss 0.01
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Monterey 12.7.6, macOS Sonoma 14.6, macOS Ventura 13.6.8. An app may be able to access information about a user’s contacts.
- risk 0.35cvss 6.4epss 0.01
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
- risk 0.35cvss 5.3epss 0.01
This issue was addressed through improved state management. This issue is fixed in iOS 17.2 and iPadOS 17.2. Private Browsing tabs may be accessed without authentication.
- risk 0.35cvss 5.3epss 0.01
This issue was addressed by removing the vulnerable code. This issue is fixed in watchOS 10.1, iOS 16.7.2 and iPadOS 16.7.2, tvOS 17.1, iOS 17.1 and iPadOS 17.1. A device may be passively tracked by its Wi-Fi MAC address.
- risk 0.35cvss 5.3epss 0.01
An authentication issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.1, iOS 17.1 and iPadOS 17.1. Photos in the Hidden Photos Album may be viewed without authentication.
- risk 0.35cvss 5.3epss 0.01
An inconsistent user interface issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.1, watchOS 10.1, iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1. Hide My Email may be deactivated unexpectedly.
- risk 0.35cvss 5.4epss 0.01
A window management issue was addressed with improved state management. This issue is fixed in Safari 17, iOS 17 and iPadOS 17, watchOS 10, macOS Sonoma 14. Visiting a website that frames malicious content may lead to UI spoofing.
- risk 0.35cvss 5.3epss 0.01
A logic issue was addressed with improved validation. This issue is fixed in macOS Ventura 13.3. Content Security Policy to block domains with wildcards may fail.
- risk 0.35cvss 5.3epss 0.01
The issue was addressed with improved bounds checks. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1. Shake-to-undo may allow a deleted photo to be re-surfaced without authentication.
- risk 0.35cvss 5.3epss 0.01
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in iOS 16.1 and iPadOS 16, macOS Ventura 13. A shortcut may be able to check the existence of an arbitrary path on the file system.
- risk 0.35cvss 5.3epss 0.01
A logic issue was addressed with improved restrictions. This issue is fixed in iOS 16, macOS Ventura 13, watchOS 9. A user in a privileged network position may be able to intercept mail credentials.
- risk 0.35cvss 5.3epss 0.01
A logic issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.4. Photo location information may persist after it is removed with Preview Inspector.
- risk 0.35cvss 5.4epss 0.00
A logic issue was addressed with improved validation. This issue is fixed in iOS 14.6 and iPadOS 14.6. An attacker in WiFi range may be able to force a client to use a less secure authentication mechanism.
- risk 0.35cvss 5.4epss 0.01
A logic issue was addressed with improved restrictions. This issue is fixed in tvOS 14.6, iOS 14.6 and iPadOS 14.6, Safari 14.1.1, macOS Big Sur 11.4, watchOS 7.5. A malicious website may be able to access restricted ports on arbitrary servers.
- risk 0.35cvss 5.3epss 0.01
A logic issue was addressed with improved state management. This issue is fixed in macOS Monterey 12.0.1. An attacker may be able to track users through their IP address.
- risk 0.35cvss 5.3epss 0.01
A sync issue was addressed with improved state validation. This issue is fixed in macOS Monterey 12.0.1. A user's messages may continue to sync after the user has signed out of iMessage.
Page 88 of 170