Vendor CVEs
Apple Inc.
All CVEs
8,452 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-9860 | Med | 0.35 | 5.4 | 0.01 | Oct 27, 2020 | A custom URL scheme handling issue was addressed with improved input validation. This issue is fixed in Safari 13.0.5. Processing a maliciously crafted URL may lead to arbitrary javascript code execution. | ||
| CVE-2020-3852 | Med | 0.35 | 5.3 | 0.01 | Oct 27, 2020 | A logic issue was addressed with improved validation. This issue is fixed in Safari 13.0.5. A URL scheme may be incorrectly ignored when determining multimedia permission for a website. | ||
| CVE-2019-8858 | Med | 0.35 | 5.3 | 0.01 | Oct 27, 2020 | A logic issue was addressed with improved state management. This issue is fixed in macOS Catalina 10.15.1, Security Update 2019-001, and Security Update 2019-006. A user who shares their screen may not be able to end screen sharing. | ||
| CVE-2019-8796 | Med | 0.35 | 5.3 | 0.01 | Oct 27, 2020 | A logic issue was addressed with improved validation. This issue is fixed in macOS Catalina 10.15.1, Security Update 2019-001, and Security Update 2019-006, iOS 12.4.3, watchOS 6.1, iOS 13.2 and iPadOS 13.2. AirDrop transfers may be unexpectedly accepted while in Everyone mode. | ||
| CVE-2020-9787 | Med | 0.35 | 5.3 | 0.01 | Oct 22, 2020 | A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. Some websites may not have appeared in Safari Preferences. | ||
| CVE-2020-9916 | Med | 0.35 | 5.3 | 0.01 | Oct 16, 2020 | A URL Unicode encoding issue was addressed with improved state management. This issue is fixed in iOS 13.6 and iPadOS 13.6, tvOS 13.4.8, watchOS 6.2.8, Safari 13.1.2, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. A malicious attacker may be able… | ||
| CVE-2020-9835 | Med | 0.35 | 5.3 | 0.01 | Jun 9, 2020 | An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic. This issue is fixed in iOS 13.5 and iPadOS 13.5. A user’s video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing. | ||
| CVE-2020-9781 | Med | 0.35 | 5.3 | 0.01 | Apr 1, 2020 | The issue was addressed by clearing website permission prompts after navigation. This issue is fixed in iOS 13.4 and iPadOS 13.4. A user may grant website permissions to a site they didn't intend to. | ||
| CVE-2020-9777 | Med | 0.35 | 5.3 | 0.01 | Apr 1, 2020 | An issue existed in the selection of video file by Mail. The issue was fixed by selecting the latest version of a video. This issue is fixed in iOS 13.4 and iPadOS 13.4. Cropped videos may not be shared properly via Mail. | ||
| CVE-2020-9775 | Med | 0.35 | 5.3 | 0.01 | Apr 1, 2020 | An issue existed in the handling of tabs displaying picture in picture video. The issue was corrected with improved state handling. This issue is fixed in iOS 13.4 and iPadOS 13.4. A user's private browsing activity may be unexpectedly saved in Screen Time. | ||
| CVE-2020-3916 | Med | 0.35 | 5.3 | 0.01 | Apr 1, 2020 | An access issue was addressed with additional sandbox restrictions. This issue is fixed in iOS 13.4 and iPadOS 13.4, watchOS 6.2. Setting an alternate app icon may disclose a photo without needing permission to access photos. | ||
| CVE-2020-3890 | Med | 0.35 | 5.3 | 0.01 | Apr 1, 2020 | The issue was addressed with improved deletion. This issue is fixed in iOS 13.4 and iPadOS 13.4. Deleted messages groups may still be suggested as an autocompletion. | ||
| CVE-2020-3874 | Med | 0.35 | 5.3 | 0.01 | Feb 27, 2020 | An issued existed in the naming of screenshots. The issue was corrected with improved naming. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1. Screenshots of the Messages app may reveal additional message content. | ||
| CVE-2020-3869 | Med | 0.35 | 5.3 | 0.01 | Feb 27, 2020 | An issue existed in the handling of the local user's self-view. The issue was corrected with improved logic. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1. A remote FaceTime user may be able to cause the local user's camera self-view to display the incorrect camera. | ||
| CVE-2019-8768 | Med | 0.35 | 5.3 | 0.02 | Dec 18, 2019 | "Clear History and Website Data" did not clear the history. The issue was addressed with improved data deletion. This issue is fixed in macOS Catalina 10.15. A user may be unable to delete browsing history items. | ||
| CVE-2019-8725 | Med | 0.35 | 5.3 | 0.01 | Dec 18, 2019 | The issue was addressed with improved handling of service worker lifetime. This issue is fixed in Safari 13.0.1. Service workers may leak private browsing history. | ||
| CVE-2019-8711 | Med | 0.35 | 5.3 | 0.01 | Dec 18, 2019 | A logic issue existed with the display of notification previews. This issue was addressed with improved validation. This issue is fixed in iOS 13. Notification previews may show on Bluetooth accessories even when previews are disabled. | ||
| CVE-2019-11070 | Med | 0.35 | 5.3 | 0.03 | Apr 10, 2019 | WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are… | ||
| CVE-2018-4356 | Med | 0.35 | 5.3 | 0.01 | Apr 3, 2019 | A permissions issue existed. This issue was addressed with improved permission validation. This issue affected versions prior to iOS 12. | ||
| CVE-2018-4321 | Med | 0.35 | 5.3 | 0.01 | Apr 3, 2019 | A validation issue existed in the entitlement verification. This issue was addressed with improved validation of the process entitlement. This issue affected versions prior to iOS 12, macOS Mojave 10.14, tvOS 12. | ||
| CVE-2018-4293 | Med | 0.35 | 5.3 | 0.01 | Apr 3, 2019 | A cookie management issue was addressed with improved checks. This issue affected versions prior to iOS 11.4.1, macOS High Sierra 10.13.6, tvOS 11.4.1, watchOS 4.3.2, iTunes 12.8 for Windows, iCloud for Windows 7.6. | ||
| CVE-2018-4279 | Med | 0.35 | 5.3 | 0.01 | Apr 3, 2019 | An inconsistent user interface issue was addressed with improved state management. This issue affected versions prior to Safari 11.1.2. | ||
| CVE-2017-7147 | Med | 0.35 | 5.3 | 0.01 | Oct 23, 2017 | An issue was discovered in certain Apple products. The Apple Support app before 1.2 for iOS is affected. The issue involves the "Analytics" component. It allows remote attackers to obtain sensitive analytics information by leveraging its presence in a cleartext HTTP transmission… | ||
| CVE-2017-7146 | Med | 0.35 | 5.3 | 0.01 | Oct 23, 2017 | An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "Security" component. It allows attackers to track users across installs via a crafted app that leverages Keychain data mishandling. | ||
| CVE-2017-7145 | Med | 0.35 | 5.3 | 0.01 | Oct 23, 2017 | An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "Time" component. The "Setting Time Zone" feature mishandles the possibility of using location data. | ||
| CVE-2017-7142 | Med | 0.35 | 5.3 | 0.02 | Oct 23, 2017 | An issue was discovered in certain Apple products. Safari before 11 is affected. The issue involves the "WebKit Storage" component. It allows attackers to bypass the Safari Private Browsing protection mechanism, and consequently obtain sensitive information about visited web… | ||
| CVE-2017-7141 | Med | 0.35 | 5.3 | 0.01 | Oct 23, 2017 | An issue was discovered in certain Apple products. macOS before 10.13 is affected. The issue involves the "Mail" component. It allows remote attackers to bypass an intended off value of the "Load remote content in messages" setting, and consequently discover an e-mail… | ||
| CVE-2017-7140 | Med | 0.35 | 5.3 | 0.01 | Oct 23, 2017 | An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "Keyboard Suggestions" component. It allows attackers to obtain sensitive information by reading keyboard autocorrect suggestions. | ||
| CVE-2017-7078 | Med | 0.35 | 5.3 | 0.01 | Oct 23, 2017 | An issue was discovered in certain Apple products. iOS before 11 is affected. macOS before 10.13 is affected. The issue involves the "Mail Drafts" component. It allows remote attackers to obtain sensitive information by reading unintended cleartext transmissions. | ||
| CVE-2017-7006 | Med | 0.35 | 5.3 | 0.01 | Jul 20, 2017 | An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct a timing side-channel attack to bypass the Same… | ||
| CVE-2017-2414 | Med | 0.35 | 5.3 | 0.02 | Apr 2, 2017 | An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "DataAccess" component. It allows remote attackers to access Exchange traffic in opportunistic circumstances by leveraging a mistake in typing an e-mail address. | ||
| CVE-2017-2400 | Med | 0.35 | 5.3 | 0.01 | Apr 2, 2017 | An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "SafariViewController" component. It allows attackers to obtain sensitive information by leveraging the SafariViewController's incorrect synchronization of Safari cache… | ||
| CVE-2017-2391 | Med | 0.35 | 5.3 | 0.01 | Apr 2, 2017 | An issue was discovered in certain Apple products. Pages before 6.1, Numbers before 4.1, and Keynote before 7.1 on macOS and Pages before 3.1, Numbers before 3.1, and Keynote before 3.1 on iOS are affected. The issue involves the "Export" component. It allows users to bypass… | ||
| CVE-2016-4745 | Med | 0.35 | 5.3 | 0.02 | Sep 25, 2016 | The Kerberos 5 (aka krb5) PAM module in Apple OS X before 10.12 does not use constant-time operations for determining username validity, which makes it easier for remote attackers to enumerate user accounts via a timing side-channel attack. | ||
| CVE-2016-4713 | Med | 0.35 | 5.3 | 0.01 | Sep 25, 2016 | CoreDisplay in Apple OS X before 10.12 allows attackers to view arbitrary users' screens by leveraging screen-sharing access. | ||
| CVE-2016-4746 | Med | 0.35 | 5.3 | 0.02 | Sep 18, 2016 | The Keyboards component in Apple iOS before 10 does not properly use a cache for auto-correct suggestions, which allows remote attackers to obtain sensitive information in opportunistic circumstances by leveraging an unintended correction. | ||
| CVE-2016-4635 | Med | 0.35 | 5.3 | 0.01 | Jul 22, 2016 | FaceTime in Apple iOS before 9.3.3 and OS X before 10.11.6 allows man-in-the-middle attackers to spoof relayed-call termination, and obtain sensitive audio information in opportunistic circumstances, via unspecified vectors. | ||
| CVE-2016-4604 | Med | 0.35 | 5.4 | 0.01 | Jul 22, 2016 | Safari in Apple iOS before 9.3.3 allows remote attackers to spoof the displayed URL via an HTTP response specifying redirection to an invalid TCP port number. | ||
| CVE-2016-4590 | Med | 0.35 | 5.4 | 0.01 | Jul 22, 2016 | WebKit in Apple iOS before 9.3.3 and Safari before 9.1.2 mishandles about: URLs, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. | ||
| CVE-2016-1844 | Med | 0.35 | 5.3 | 0.02 | May 20, 2016 | The Messages component in Apple OS X before 10.11.5 mishandles roster changes, which allows remote attackers to modify contact lists via unspecified vectors. | ||
| CVE-2016-1787 | Med | 0.35 | 5.3 | 0.02 | Mar 24, 2016 | Wiki Server in Apple OS X Server before 5.1 allows remote attackers to obtain sensitive information from Wiki pages via unspecified vectors. | ||
| CVE-2016-1786 | Med | 0.35 | 5.4 | 0.01 | Mar 24, 2016 | The Page Loading implementation in WebKit in Apple iOS before 9.3 and Safari before 9.1 mishandles HTTP responses with a 3xx (aka redirection) status code, which allows remote attackers to spoof the displayed URL, bypass the Same Origin Policy, and obtain sensitive cached… | ||
| CVE-2016-1776 | Med | 0.35 | 5.3 | 0.02 | Mar 24, 2016 | Web Server in Apple OS X Server before 5.1 does not properly restrict access to .DS_Store and .htaccess files, which allows remote attackers to obtain sensitive configuration information via an HTTP request. | ||
| CVE-2016-1774 | Med | 0.35 | 5.3 | 0.02 | Mar 24, 2016 | The Time Machine server in Server App in Apple OS X Server before 5.1 does not notify the user about ignored permissions during a backup, which makes it easier for remote attackers to obtain sensitive information in opportunistic circumstances by reading backup data that lacks… | ||
| CVE-2016-0747 | Med | 0.35 | 5.3 | 0.08 | Feb 15, 2016 | The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly limit CNAME resolution, which allows remote attackers to cause a denial of service (worker process resource consumption) via vectors related to arbitrary name resolution. | ||
| CVE-2016-1730 | Med | 0.35 | 5.4 | 0.01 | Feb 1, 2016 | WebSheet in Apple iOS before 9.2.1 allows remote attackers to read or write to cookies by operating a crafted captive portal. | ||
| CVE-2015-6563 | Med | 0.35 | 6.4 | 0.00 | Aug 24, 2015 | The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the… | ||
| CVE-2015-4000 | Low | 0.35 | 3.7 | 1.00 | May 21, 2015 | The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by… | ||
| CVE-2025-46308 | Med | 0.34 | 5.3 | 0.00 | Jun 11, 2026 | An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. An app may be able to leak sensitive user information. | ||
| CVE-2026-28994 | Med | 0.34 | 5.3 | 0.00 | May 11, 2026 | A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. An attacker in a privileged network position… |
- risk 0.35cvss 5.4epss 0.01
A custom URL scheme handling issue was addressed with improved input validation. This issue is fixed in Safari 13.0.5. Processing a maliciously crafted URL may lead to arbitrary javascript code execution.
- risk 0.35cvss 5.3epss 0.01
A logic issue was addressed with improved validation. This issue is fixed in Safari 13.0.5. A URL scheme may be incorrectly ignored when determining multimedia permission for a website.
- risk 0.35cvss 5.3epss 0.01
A logic issue was addressed with improved state management. This issue is fixed in macOS Catalina 10.15.1, Security Update 2019-001, and Security Update 2019-006. A user who shares their screen may not be able to end screen sharing.
- risk 0.35cvss 5.3epss 0.01
A logic issue was addressed with improved validation. This issue is fixed in macOS Catalina 10.15.1, Security Update 2019-001, and Security Update 2019-006, iOS 12.4.3, watchOS 6.1, iOS 13.2 and iPadOS 13.2. AirDrop transfers may be unexpectedly accepted while in Everyone mode.
- risk 0.35cvss 5.3epss 0.01
A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.4 and iPadOS 13.4, macOS Catalina 10.15.4, tvOS 13.4, watchOS 6.2. Some websites may not have appeared in Safari Preferences.
- risk 0.35cvss 5.3epss 0.01
A URL Unicode encoding issue was addressed with improved state management. This issue is fixed in iOS 13.6 and iPadOS 13.6, tvOS 13.4.8, watchOS 6.2.8, Safari 13.1.2, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. A malicious attacker may be able…
- risk 0.35cvss 5.3epss 0.01
An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic. This issue is fixed in iOS 13.5 and iPadOS 13.5. A user’s video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing.
- risk 0.35cvss 5.3epss 0.01
The issue was addressed by clearing website permission prompts after navigation. This issue is fixed in iOS 13.4 and iPadOS 13.4. A user may grant website permissions to a site they didn't intend to.
- risk 0.35cvss 5.3epss 0.01
An issue existed in the selection of video file by Mail. The issue was fixed by selecting the latest version of a video. This issue is fixed in iOS 13.4 and iPadOS 13.4. Cropped videos may not be shared properly via Mail.
- risk 0.35cvss 5.3epss 0.01
An issue existed in the handling of tabs displaying picture in picture video. The issue was corrected with improved state handling. This issue is fixed in iOS 13.4 and iPadOS 13.4. A user's private browsing activity may be unexpectedly saved in Screen Time.
- risk 0.35cvss 5.3epss 0.01
An access issue was addressed with additional sandbox restrictions. This issue is fixed in iOS 13.4 and iPadOS 13.4, watchOS 6.2. Setting an alternate app icon may disclose a photo without needing permission to access photos.
- risk 0.35cvss 5.3epss 0.01
The issue was addressed with improved deletion. This issue is fixed in iOS 13.4 and iPadOS 13.4. Deleted messages groups may still be suggested as an autocompletion.
- risk 0.35cvss 5.3epss 0.01
An issued existed in the naming of screenshots. The issue was corrected with improved naming. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1. Screenshots of the Messages app may reveal additional message content.
- risk 0.35cvss 5.3epss 0.01
An issue existed in the handling of the local user's self-view. The issue was corrected with improved logic. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1. A remote FaceTime user may be able to cause the local user's camera self-view to display the incorrect camera.
- risk 0.35cvss 5.3epss 0.02
"Clear History and Website Data" did not clear the history. The issue was addressed with improved data deletion. This issue is fixed in macOS Catalina 10.15. A user may be unable to delete browsing history items.
- risk 0.35cvss 5.3epss 0.01
The issue was addressed with improved handling of service worker lifetime. This issue is fixed in Safari 13.0.1. Service workers may leak private browsing history.
- risk 0.35cvss 5.3epss 0.01
A logic issue existed with the display of notification previews. This issue was addressed with improved validation. This issue is fixed in iOS 13. Notification previews may show on Bluetooth accessories even when previews are disabled.
- risk 0.35cvss 5.3epss 0.03
WebKitGTK and WPE WebKit prior to version 2.24.1 failed to properly apply configured HTTP proxy settings when downloading livestream video (HLS, DASH, or Smooth Streaming), an error resulting in deanonymization. This issue was corrected by changing the way livestreams are…
- risk 0.35cvss 5.3epss 0.01
A permissions issue existed. This issue was addressed with improved permission validation. This issue affected versions prior to iOS 12.
- risk 0.35cvss 5.3epss 0.01
A validation issue existed in the entitlement verification. This issue was addressed with improved validation of the process entitlement. This issue affected versions prior to iOS 12, macOS Mojave 10.14, tvOS 12.
- risk 0.35cvss 5.3epss 0.01
A cookie management issue was addressed with improved checks. This issue affected versions prior to iOS 11.4.1, macOS High Sierra 10.13.6, tvOS 11.4.1, watchOS 4.3.2, iTunes 12.8 for Windows, iCloud for Windows 7.6.
- risk 0.35cvss 5.3epss 0.01
An inconsistent user interface issue was addressed with improved state management. This issue affected versions prior to Safari 11.1.2.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in certain Apple products. The Apple Support app before 1.2 for iOS is affected. The issue involves the "Analytics" component. It allows remote attackers to obtain sensitive analytics information by leveraging its presence in a cleartext HTTP transmission…
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "Security" component. It allows attackers to track users across installs via a crafted app that leverages Keychain data mishandling.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "Time" component. The "Setting Time Zone" feature mishandles the possibility of using location data.
- risk 0.35cvss 5.3epss 0.02
An issue was discovered in certain Apple products. Safari before 11 is affected. The issue involves the "WebKit Storage" component. It allows attackers to bypass the Safari Private Browsing protection mechanism, and consequently obtain sensitive information about visited web…
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in certain Apple products. macOS before 10.13 is affected. The issue involves the "Mail" component. It allows remote attackers to bypass an intended off value of the "Load remote content in messages" setting, and consequently discover an e-mail…
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in certain Apple products. iOS before 11 is affected. The issue involves the "Keyboard Suggestions" component. It allows attackers to obtain sensitive information by reading keyboard autocorrect suggestions.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in certain Apple products. iOS before 11 is affected. macOS before 10.13 is affected. The issue involves the "Mail Drafts" component. It allows remote attackers to obtain sensitive information by reading unintended cleartext transmissions.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. Safari before 10.1.2 is affected. tvOS before 10.2.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to conduct a timing side-channel attack to bypass the Same…
- risk 0.35cvss 5.3epss 0.02
An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "DataAccess" component. It allows remote attackers to access Exchange traffic in opportunistic circumstances by leveraging a mistake in typing an e-mail address.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in certain Apple products. iOS before 10.3 is affected. The issue involves the "SafariViewController" component. It allows attackers to obtain sensitive information by leveraging the SafariViewController's incorrect synchronization of Safari cache…
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in certain Apple products. Pages before 6.1, Numbers before 4.1, and Keynote before 7.1 on macOS and Pages before 3.1, Numbers before 3.1, and Keynote before 3.1 on iOS are affected. The issue involves the "Export" component. It allows users to bypass…
- risk 0.35cvss 5.3epss 0.02
The Kerberos 5 (aka krb5) PAM module in Apple OS X before 10.12 does not use constant-time operations for determining username validity, which makes it easier for remote attackers to enumerate user accounts via a timing side-channel attack.
- risk 0.35cvss 5.3epss 0.01
CoreDisplay in Apple OS X before 10.12 allows attackers to view arbitrary users' screens by leveraging screen-sharing access.
- risk 0.35cvss 5.3epss 0.02
The Keyboards component in Apple iOS before 10 does not properly use a cache for auto-correct suggestions, which allows remote attackers to obtain sensitive information in opportunistic circumstances by leveraging an unintended correction.
- risk 0.35cvss 5.3epss 0.01
FaceTime in Apple iOS before 9.3.3 and OS X before 10.11.6 allows man-in-the-middle attackers to spoof relayed-call termination, and obtain sensitive audio information in opportunistic circumstances, via unspecified vectors.
- risk 0.35cvss 5.4epss 0.01
Safari in Apple iOS before 9.3.3 allows remote attackers to spoof the displayed URL via an HTTP response specifying redirection to an invalid TCP port number.
- risk 0.35cvss 5.4epss 0.01
WebKit in Apple iOS before 9.3.3 and Safari before 9.1.2 mishandles about: URLs, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
- risk 0.35cvss 5.3epss 0.02
The Messages component in Apple OS X before 10.11.5 mishandles roster changes, which allows remote attackers to modify contact lists via unspecified vectors.
- risk 0.35cvss 5.3epss 0.02
Wiki Server in Apple OS X Server before 5.1 allows remote attackers to obtain sensitive information from Wiki pages via unspecified vectors.
- risk 0.35cvss 5.4epss 0.01
The Page Loading implementation in WebKit in Apple iOS before 9.3 and Safari before 9.1 mishandles HTTP responses with a 3xx (aka redirection) status code, which allows remote attackers to spoof the displayed URL, bypass the Same Origin Policy, and obtain sensitive cached…
- risk 0.35cvss 5.3epss 0.02
Web Server in Apple OS X Server before 5.1 does not properly restrict access to .DS_Store and .htaccess files, which allows remote attackers to obtain sensitive configuration information via an HTTP request.
- risk 0.35cvss 5.3epss 0.02
The Time Machine server in Server App in Apple OS X Server before 5.1 does not notify the user about ignored permissions during a backup, which makes it easier for remote attackers to obtain sensitive information in opportunistic circumstances by reading backup data that lacks…
- risk 0.35cvss 5.3epss 0.08
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly limit CNAME resolution, which allows remote attackers to cause a denial of service (worker process resource consumption) via vectors related to arbitrary name resolution.
- risk 0.35cvss 5.4epss 0.01
WebSheet in Apple iOS before 9.2.1 allows remote attackers to read or write to cookies by operating a crafted captive portal.
- risk 0.35cvss 6.4epss 0.00
The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the…
- risk 0.35cvss 3.7epss 1.00
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by…
- risk 0.34cvss 5.3epss 0.00
An authorization issue was addressed with improved state management. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. An app may be able to leak sensitive user information.
- risk 0.34cvss 5.3epss 0.00
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS 26.5, watchOS 26.5. An attacker in a privileged network position…
Page 89 of 170