| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2016-1787 |
200 |
|
+Info |
2016-03-24 |
2016-12-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Wiki Server in Apple OS X Server before 5.1 allows remote attackers to obtain sensitive information from Wiki pages via unspecified vectors. |
|
2 |
CVE-2016-1777 |
310 |
|
|
2016-03-24 |
2016-12-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Web Server in Apple OS X Server before 5.1 supports the RC4 algorithm, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors. |
|
3 |
CVE-2016-1776 |
284 |
|
+Info |
2016-03-24 |
2016-12-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Web Server in Apple OS X Server before 5.1 does not properly restrict access to .DS_Store and .htaccess files, which allows remote attackers to obtain sensitive configuration information via an HTTP request. |
|
4 |
CVE-2016-1774 |
284 |
|
+Info |
2016-03-24 |
2016-12-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Time Machine server in Server App in Apple OS X Server before 5.1 does not notify the user about ignored permissions during a backup, which makes it easier for remote attackers to obtain sensitive information in opportunistic circumstances by reading backup data that lacks intended restrictions. |
|
5 |
CVE-2015-7031 |
264 |
|
Bypass |
2015-10-23 |
2016-12-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The Web Service component in Apple OS X Server before 5.0.15 omits an unspecified HTTP header configuration, which allows remote attackers to bypass intended access restrictions via unknown vectors. |
|
6 |
CVE-2015-3185 |
264 |
|
Bypass |
2015-07-20 |
2021-06-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior. |
|
7 |
CVE-2015-3165 |
|
|
DoS |
2015-05-28 |
2018-01-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service (crash) by closing an SSL session at a time when the authentication timeout will expire during the session shutdown sequence. |
|
8 |
CVE-2015-0253 |
|
|
DoS |
2015-07-20 |
2021-06-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) by sending a request that lacks a method to an installation that enables the INCLUDES filter and has an ErrorDocument 400 directive specifying a local URI. |
|
9 |
CVE-2015-0228 |
20 |
|
DoS |
2015-03-08 |
2021-06-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The lua_websocket_read function in lua_request.c in the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service (child-process crash) by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade function. |
|
10 |
CVE-2014-1296 |
264 |
|
Bypass |
2014-04-23 |
2019-03-08 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
CFNetwork in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 does not ensure that a Set-Cookie HTTP header is complete before interpreting the header's value, which allows remote attackers to bypass intended access restrictions by triggering the closing of a TCP connection during transmission of a header, as demonstrated by an HTTPOnly restriction. |
|
11 |
CVE-2014-1265 |
264 |
|
Bypass |
2014-02-27 |
2014-02-27 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The systemsetup program in the Date and Time subsystem in Apple OS X before 10.9.2 allows local users to bypass intended access restrictions by changing the current time on the system clock. |
|
12 |
CVE-2014-0067 |
264 |
|
+Priv |
2014-03-31 |
2017-12-16 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The "make check" command for the test suites in PostgreSQL 9.3.3 and earlier does not properly invoke initdb to specify the authentication requirements for a database cluster to be used for the tests, which allows local users to gain privileges by leveraging access to this cluster. |
|
13 |
CVE-2013-5704 |
|
|
Bypass |
2014-04-15 |
2022-04-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such." |
|
14 |
CVE-2013-0990 |
264 |
|
|
2013-06-05 |
2013-06-05 |
4.9 |
None |
Remote |
Medium |
??? |
None |
Partial |
Partial |
|
SMB in Apple Mac OS X before 10.8.4, when file sharing is enabled, allows remote authenticated users to create or modify files outside of a shared directory via unspecified vectors. |
|
15 |
CVE-2013-0967 |
|
|
Bypass |
2013-03-15 |
2013-03-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
CoreTypes in Apple Mac OS X before 10.8.3 includes JNLP files in the list of safe file types, which allows remote attackers to bypass a Java plug-in disabled setting, and trigger the launch of Java Web Start applications, via a crafted web site. |
|
16 |
CVE-2012-3723 |
119 |
|
DoS Exec Code Overflow Mem. Corr. |
2012-09-20 |
2017-08-29 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Apple Mac OS X before 10.7.5 does not properly handle the bNbrPorts field of a USB hub descriptor, which allows physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption and system crash) by attaching a USB device. |
|
17 |
CVE-2012-0675 |
287 |
|
|
2012-05-11 |
2012-05-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Time Machine in Apple Mac OS X before 10.7.4 does not require continued use of SRP-based authentication after this authentication method is first used, which allows remote attackers to read Time Capsule credentials by spoofing the backup volume. |
|
18 |
CVE-2012-0651 |
200 |
|
+Info |
2012-05-11 |
2017-12-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The directory server in Directory Service in Apple Mac OS X 10.6.8 allows remote attackers to obtain sensitive information from process memory via a crafted message. |
|
19 |
CVE-2011-3462 |
|
|
+Info |
2012-02-02 |
2012-02-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Time Machine in Apple Mac OS X before 10.7.3 does not verify the unique identifier of its remote AFP volume or Time Capsule, which allows remote attackers to obtain sensitive information contained in new backups by spoofing this storage object, a different vulnerability than CVE-2010-1803. |
|
20 |
CVE-2011-3452 |
200 |
|
+Info |
2012-02-02 |
2012-02-03 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Internet Sharing in Apple Mac OS X before 10.7.3 does not preserve the Wi-Fi configuration across software updates, which allows remote attackers to obtain sensitive information by leveraging the lack of a WEP password for a Wi-Fi network. |
|
21 |
CVE-2011-3447 |
200 |
|
+Info |
2012-02-02 |
2012-02-03 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
CFNetwork in Apple Mac OS X 10.7.x before 10.7.3 does not properly construct request headers during parsing of URLs, which allows remote attackers to obtain sensitive information via a malformed URL. |
|
22 |
CVE-2011-3444 |
310 |
|
|
2012-02-02 |
2012-02-06 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Address Book in Apple Mac OS X before 10.7.3 automatically switches to unencrypted sessions upon failure of encrypted connections, which allows remote attackers to read CardDAV data by terminating an encrypted connection and then sniffing the network. |
|
23 |
CVE-2011-3422 |
20 |
|
|
2011-09-12 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Keychain implementation in Apple Mac OS X 10.6.8 and earlier does not properly handle an untrusted attribute of a Certification Authority certificate, which makes it easier for man-in-the-middle attackers to spoof arbitrary SSL servers via an Extended Validation certificate, as demonstrated by https access with Safari. |
|
24 |
CVE-2011-3246 |
200 |
|
+Info |
2011-10-14 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
CFNetwork in Apple iOS before 5.0.1 and Mac OS X 10.7 before 10.7.2 does not properly parse URLs, which allows remote attackers to trigger visits to unintended web sites, and transmission of cookies to unintended web sites, via a crafted (1) http or (2) https URL. |
|
25 |
CVE-2011-3225 |
264 |
|
Bypass |
2011-10-14 |
2012-01-14 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The SMB File Server component in Apple Mac OS X 10.7 before 10.7.2 does not prevent all guest users from accessing the share point record of a guest-restricted folder, which allows remote attackers to bypass intended browsing restrictions by leveraging access to the nobody account. |
|
26 |
CVE-2011-3220 |
200 |
|
+Info |
2011-10-14 |
2012-01-14 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
QuickTime in Apple Mac OS X before 10.7.2 does not properly process URL data handlers in movie files, which allows remote attackers to obtain sensitive information from uninitialized memory locations via a crafted file. |
|
27 |
CVE-2011-3214 |
264 |
|
Bypass |
2011-10-14 |
2012-01-14 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
IOGraphics in Apple Mac OS X through 10.6.8 does not properly handle a locked-screen state in display sleep mode for an Apple Cinema Display, which allows physically proximate attackers to bypass the password requirement via unspecified vectors. |
|
28 |
CVE-2011-1132 |
|
|
DoS |
2011-06-24 |
2011-10-27 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The IPv6 implementation in the kernel in Apple Mac OS X before 10.6.8 allows local users to cause a denial of service (NULL pointer dereference and reboot) via vectors involving socket options. |
|
29 |
CVE-2011-0260 |
264 |
|
Bypass |
2011-10-14 |
2012-01-14 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The CoreProcesses component in Apple Mac OS X 10.7 before 10.7.2 does not prevent a system window from receiving keystrokes in the locked-screen state, which might allow physically proximate attackers to bypass intended access restrictions by typing into this window. |
|
30 |
CVE-2011-0231 |
200 |
|
+Info |
2011-10-14 |
2012-01-14 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
CFNetwork in Apple Mac OS X before 10.7.2 does not properly follow an intended cookie-storage policy, which makes it easier for remote web servers to track users via a cookie, related to a "synchronization issue." |
|
31 |
CVE-2011-0207 |
310 |
|
+Info |
2011-06-24 |
2011-10-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The MobileMe component in Apple Mac OS X before 10.6.8 uses a cleartext HTTP session for the Mail application to read e-mail aliases, which allows remote attackers to obtain potentially sensitive alias information by sniffing the network. |
|
32 |
CVE-2011-0203 |
22 |
|
Dir. Trav. |
2011-06-24 |
2011-10-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Absolute path traversal vulnerability in xftpd in the FTP Server component in Apple Mac OS X before 10.6.8 allows remote attackers to list arbitrary directories by using the root directory as the starting point of a recursive listing. |
|
33 |
CVE-2011-0199 |
20 |
|
|
2011-06-24 |
2011-10-27 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Certificate Trust Policy component in Apple Mac OS X before 10.6.8 does not perform CRL checking for Extended Validation (EV) certificates that lack OCSP URLs, which might allow man-in-the-middle attackers to spoof an SSL server via a revoked certificate. |
|
34 |
CVE-2011-0190 |
20 |
|
|
2011-03-23 |
2011-03-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Install Helper in Installer in Apple Mac OS X before 10.6.7 does not properly process an unspecified URL, which might allow remote attackers to track user logins by logging network traffic from an agent that was intended to send network traffic to an Apple server. |
|
35 |
CVE-2011-0189 |
16 |
|
|
2011-03-23 |
2011-03-23 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The default configuration of Terminal in Apple Mac OS X 10.6 before 10.6.7 uses SSH protocol version 1 within the New Remote Connection dialog, which might make it easier for man-in-the-middle attackers to spoof SSH servers by leveraging protocol vulnerabilities. |
|
36 |
CVE-2011-0187 |
200 |
|
Bypass +Info |
2011-03-23 |
2011-10-21 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The plug-in in QuickTime in Apple Mac OS X before 10.6.7 allows remote attackers to bypass the Same Origin Policy and obtain potentially sensitive video data via vectors involving a cross-site redirect. |
|
37 |
CVE-2011-0185 |
134 |
|
+Priv |
2011-10-14 |
2012-01-14 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Format string vulnerability in the debug-logging feature in Application Firewall in Apple Mac OS X before 10.7.2 allows local users to gain privileges via a crafted name of an executable file. |
|
38 |
CVE-2011-0183 |
189 |
|
DoS |
2011-03-23 |
2011-03-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Libinfo in Apple Mac OS X before 10.6.7 does not properly handle an unspecified integer field in an NFS RPC packet, which allows remote attackers to cause a denial of service (lockd, statd, mountd, or portmap outage) via a crafted packet, related to an "integer truncation issue." |
|
39 |
CVE-2011-0172 |
189 |
|
DoS |
2011-03-23 |
2011-03-24 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
AirPort in Apple Mac OS X 10.6 before 10.6.7 allows remote attackers to cause a denial of service (divide-by-zero error and reboot) via Wi-Fi frames on the local wireless network, a different vulnerability than CVE-2011-0162. |
|
40 |
CVE-2010-4011 |
200 |
|
+Info |
2010-11-17 |
2010-11-17 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Dovecot in Apple Mac OS X 10.6.5 10H574 does not properly manage memory for user names, which allows remote authenticated users to read the private e-mail of other persons in opportunistic circumstances via standard e-mail clients accessing a user's own mailbox, related to a "memory aliasing issue." |
|
41 |
CVE-2010-3797 |
79 |
|
XSS |
2010-11-16 |
2010-12-10 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Wiki Server in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
|
42 |
CVE-2010-3796 |
200 |
|
+Info |
2010-11-16 |
2010-11-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Safari RSS in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 does not block Java applets in an RSS feed, which allows remote attackers to obtain sensitive information via a feed: URL containing an applet that performs DOM modifications. |
|
43 |
CVE-2010-3784 |
|
|
DoS |
2010-11-16 |
2010-12-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The PMPageFormatCreateWithDataRepresentation API in Printing in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 does not properly handle XML data, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) via unspecified API calls. |
|
44 |
CVE-2010-1847 |
399 |
|
DoS |
2010-11-16 |
2010-12-10 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The kernel in Apple Mac OS X 10.6.x before 10.6.5 does not properly perform memory management associated with terminal devices, which allows local users to cause a denial of service (system crash) via unspecified vectors. |
|
45 |
CVE-2010-1838 |
287 |
|
Bypass |
2010-11-15 |
2011-01-12 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Directory Services in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 does not properly handle errors associated with disabled mobile accounts, which allows remote attackers to bypass authentication by providing a valid account name. |
|
46 |
CVE-2010-1834 |
20 |
|
|
2010-11-15 |
2010-12-10 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
CFNetwork in Apple Mac OS X 10.6.x before 10.6.5 does not properly validate the domains of cookies, which makes it easier for remote web servers to track users by setting a cookie that is associated with a partial IP address. |
|
47 |
CVE-2010-1830 |
|
|
|
2010-11-15 |
2010-12-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
AFP Server in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 generates different error messages depending on whether a share exists, which allows remote attackers to enumerate valid share names via unspecified vectors. |
|
48 |
CVE-2010-1828 |
20 |
|
DoS |
2010-11-15 |
2010-12-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
AFP Server in Apple Mac OS X 10.5.8 and 10.6.x before 10.6.5 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon restart) via crafted reconnect authentication packets. |
|
49 |
CVE-2010-1803 |
|
|
+Info |
2010-11-15 |
2010-12-10 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Time Machine in Apple Mac OS X 10.6.x before 10.6.5 does not verify the unique identifier of its remote AFP volume, which allows remote attackers to obtain sensitive information by spoofing this volume. |
|
50 |
CVE-2010-1382 |
79 |
|
XSS |
2010-06-17 |
2010-06-18 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Wiki Server in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows remote authenticated users to inject arbitrary web script or HTML via crafted Wiki content, related to lack of a charset field. |
