| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2014-4460 |
200 |
|
+Info |
2014-11-18 |
2017-08-29 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
CFNetwork in Apple iOS before 8.1.1 and OS X before 10.10.1 does not properly clear the browsing cache upon a transition out of private-browsing mode, which makes it easier for physically proximate attackers to obtain sensitive information by reading cache files. |
|
2 |
CVE-2014-4458 |
200 |
|
+Info |
2014-11-18 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The "System Profiler About This Mac" component in Apple OS X before 10.10.1 includes extraneous cookie data in system-model requests, which might allow remote attackers to obtain sensitive information via unspecified vectors. |
|
3 |
CVE-2014-4453 |
200 |
|
+Info |
2014-11-18 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Apple iOS before 8.1.1 and OS X before 10.10.1 include location data during establishment of a Spotlight Suggestions server connection by Spotlight or Safari, which might allow remote attackers to obtain sensitive information via unspecified vectors. |
|
4 |
CVE-2014-1379 |
|
|
DoS +Priv |
2014-07-01 |
2015-11-20 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Graphics Drivers in Apple OS X before 10.9.4 allows attackers to gain privileges or cause a denial of service (NULL pointer dereference and system crash) via a 32-bit executable file for a crafted application. |
|
5 |
CVE-2014-1377 |
|
|
Exec Code |
2014-07-01 |
2015-11-20 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Array index error in IOAcceleratorFamily in Apple OS X before 10.9.4 allows attackers to execute arbitrary code via a crafted application. |
|
6 |
CVE-2014-1376 |
264 |
|
Exec Code |
2014-07-01 |
2015-11-20 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Intel Compute in Apple OS X before 10.9.4 does not properly restrict an unspecified OpenCL API call, which allows attackers to execute arbitrary code via a crafted application. |
|
7 |
CVE-2014-1373 |
264 |
|
Exec Code |
2014-07-01 |
2015-11-20 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Intel Graphics Driver in Apple OS X before 10.9.4 does not properly restrict an unspecified OpenGL API call, which allows attackers to execute arbitrary code via a crafted application. |
|
8 |
CVE-2014-1372 |
264 |
|
Bypass +Info |
2014-07-01 |
2015-11-20 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
Graphics Driver in Apple OS X before 10.9.4 does not properly restrict read operations during processing of an unspecified system call, which allows local users to obtain sensitive information from kernel memory and bypass the ASLR protection mechanism via a crafted call. |
|
9 |
CVE-2014-1371 |
119 |
|
DoS Exec Code Overflow |
2014-07-01 |
2015-12-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Array index error in Dock in Apple OS X before 10.9.4 allows attackers to execute arbitrary code or cause a denial of service (incorrect function-pointer dereference and application crash) by leveraging access to a sandboxed application for sending a message. |
|
10 |
CVE-2014-1370 |
119 |
|
DoS Exec Code Overflow |
2014-07-01 |
2016-12-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The byte-swapping implementation in copyfile in Apple OS X before 10.9.4 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds memory access and application crash) via a crafted AppleDouble file in a ZIP archive. |
|
11 |
CVE-2014-1318 |
20 |
|
Exec Code |
2014-04-23 |
2014-04-23 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The Intel Graphics Driver in Apple OS X through 10.9.2 does not properly validate a certain pointer, which allows attackers to execute arbitrary code via a crafted application. |
|
12 |
CVE-2014-1314 |
264 |
|
Exec Code Bypass |
2014-04-23 |
2014-04-24 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
WindowServer in Apple OS X through 10.9.2 does not prevent session creation by a sandboxed application, which allows attackers to bypass the sandbox protection mechanism and execute arbitrary code via a crafted application. |
|
13 |
CVE-2014-1296 |
264 |
|
Bypass |
2014-04-23 |
2019-03-08 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
CFNetwork in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 does not ensure that a Set-Cookie HTTP header is complete before interpreting the header's value, which allows remote attackers to bypass intended access restrictions by triggering the closing of a TCP connection during transmission of a header, as demonstrated by an HTTPOnly restriction. |
|
14 |
CVE-2014-1295 |
287 |
|
+Info |
2014-04-23 |
2019-03-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Secure Transport in Apple iOS before 7.1.1, Apple OS X 10.8.x and 10.9.x through 10.9.2, and Apple TV before 6.1.1 does not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotiation, which allows man-in-the-middle attackers to obtain sensitive information or modify TLS session data via a "triple handshake attack." |
|
15 |
CVE-2014-1270 |
119 |
|
DoS Exec Code Overflow Mem. Corr. |
2014-02-27 |
2016-12-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
WebKit, as used in Apple Safari before 6.1.2 and 7.x before 7.0.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1268 and CVE-2014-1269. |
|
16 |
CVE-2014-1269 |
119 |
|
DoS Exec Code Overflow Mem. Corr. |
2014-02-27 |
2016-12-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
WebKit, as used in Apple Safari before 6.1.2 and 7.x before 7.0.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1268 and CVE-2014-1270. |
|
17 |
CVE-2014-1268 |
119 |
|
DoS Exec Code Overflow Mem. Corr. |
2014-02-27 |
2016-12-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
WebKit, as used in Apple Safari before 6.1.2 and 7.x before 7.0.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1269 and CVE-2014-1270. |
|
18 |
CVE-2014-1265 |
264 |
|
Bypass |
2014-02-27 |
2014-02-27 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The systemsetup program in the Date and Time subsystem in Apple OS X before 10.9.2 allows local users to bypass intended access restrictions by changing the current time on the system clock. |
|
19 |
CVE-2014-1260 |
119 |
|
DoS Exec Code Overflow Mem. Corr. |
2014-02-27 |
2014-03-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
QuickLook in Apple OS X through 10.8.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Microsoft Office document. |
|
20 |
CVE-2014-1259 |
119 |
|
DoS Exec Code Overflow |
2014-02-27 |
2014-03-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in File Bookmark in Apple OS X before 10.9.2 allows attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted filename. |
|
21 |
CVE-2014-1258 |
119 |
|
DoS Exec Code Overflow |
2014-02-27 |
2014-02-27 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in CoreAnimation in Apple OS X before 10.9.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted image. |
|
22 |
CVE-2014-1257 |
264 |
|
Bypass |
2014-02-27 |
2014-02-27 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
CFNetwork in Apple OS X through 10.8.5 does not remove session cookies upon a Safari reset action, which allows physically proximate attackers to bypass intended access restrictions by leveraging an unattended workstation. |
|
23 |
CVE-2014-1256 |
119 |
|
Overflow Bypass |
2014-02-27 |
2014-02-27 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in Apple Type Services (ATS) in Apple OS X before 10.9.2 allows attackers to bypass the App Sandbox protection mechanism via crafted Mach messages. |
|
24 |
CVE-2014-1254 |
119 |
|
DoS Exec Code Overflow Mem. Corr. |
2014-02-27 |
2014-02-27 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Apple Type Services (ATS) in Apple OS X before 10.9.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Type 1 font that is embedded in a document. |
|
25 |
CVE-2013-5192 |
20 |
|
DoS |
2013-10-24 |
2013-10-24 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The USB hub controller in Apple Mac OS X before 10.9 allows local users to cause a denial of service (system crash) via a request with a crafted (1) port or (2) port number. |
|
26 |
CVE-2013-5191 |
264 |
|
+Info |
2013-10-24 |
2013-10-24 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The syslog implementation in Apple Mac OS X before 10.9 allows local users to obtain sensitive information by leveraging access to the Guest account and reading console-log messages from previous Guest sessions. |
|
27 |
CVE-2013-5190 |
264 |
|
DoS |
2013-10-24 |
2013-10-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Smart Card Services in Apple Mac OS X before 10.9 does not properly implement certificate-revocation checks, which allows remote attackers to cause a denial of service (Smart Card usage outage) by interfering with the revocation-check procedure. |
|
28 |
CVE-2013-5189 |
264 |
|
Bypass |
2013-10-24 |
2013-10-24 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Apple Mac OS X before 10.9 does not preserve a certain administrative system-preferences setting across software updates, which allows context-dependent attackers to bypass intended access restrictions in opportunistic circumstances by leveraging an unintended security configuration after the completion of an update. |
|
29 |
CVE-2013-5188 |
264 |
|
|
2013-10-24 |
2013-10-24 |
4.0 |
None |
Local |
High |
Not required |
Complete |
None |
None |
|
The Screen Lock implementation in Apple Mac OS X before 10.9, when hibernation and autologin are enabled, does not require a password for a transition out of hibernation, which allows physically proximate attackers to obtain access by visiting an unattended workstation in the hibernating state. |
|
30 |
CVE-2013-5187 |
264 |
|
+Info |
2013-10-24 |
2013-10-24 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
The Screen Lock implementation in Apple Mac OS X before 10.9 does not immediately accept Keychain Status menu Lock Screen commands, and instead incorrectly relies on a certain timeout setting, which allows physically proximate attackers to obtain sensitive information by reading a screen that should have transitioned into the locked state. |
|
31 |
CVE-2013-5186 |
264 |
|
+Info |
2013-10-24 |
2013-10-24 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Power Management in Apple Mac OS X before 10.9 does not properly handle the interaction between locking and power assertions, which allows physically proximate attackers to obtain sensitive information by reading a screen that should have transitioned into the locked state. |
|
32 |
CVE-2013-5185 |
310 |
|
+Info |
2013-10-24 |
2013-10-24 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The ldapsearch command-line program in OpenLDAP in Apple Mac OS X before 10.9 does not properly process the minssf configuration setting, which allows remote attackers to obtain sensitive information by leveraging unintended weak encryption and sniffing the network. |
|
33 |
CVE-2013-5184 |
399 |
|
DoS |
2013-10-24 |
2013-10-24 |
5.7 |
None |
Local Network |
Medium |
Not required |
None |
None |
Complete |
|
The kernel in Apple Mac OS X before 10.9 does not properly check for errors during the processing of multicast Wi-Fi packets, which allows remote attackers to cause a denial of service (system crash) by leveraging presence in an 802.11 network's coverage area. |
|
34 |
CVE-2013-5183 |
200 |
|
+Info |
2013-10-24 |
2013-10-24 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
Mail in Apple Mac OS X before 10.9, when Kerberos authentication is enabled and TLS is disabled, sends invalid cleartext data, which allows remote attackers to obtain sensitive information by sniffing the network. |
|
35 |
CVE-2013-5182 |
310 |
|
|
2013-10-24 |
2013-10-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Mail in Apple Mac OS X before 10.9 allows remote attackers to spoof the existence of a cryptographic signature for an e-mail message by using the multipart/signed content type within an unsigned message. |
|
36 |
CVE-2013-5181 |
310 |
|
+Info |
2013-10-24 |
2013-10-24 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The auto-configuration feature in Mail in Apple Mac OS X before 10.9 selects plaintext authentication for unspecified servers that support CRAM-MD5 authentication, which allows remote attackers to obtain sensitive information by sniffing the network. |
|
37 |
CVE-2013-5180 |
310 |
|
|
2013-10-24 |
2013-10-24 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The srandomdev function in Libc in Apple Mac OS X before 10.9, when the kernel random-number generator is unavailable, produces predictable values instead of the intended random values, which makes it easier for context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of these values, related to a compiler-optimization issue. |
|
38 |
CVE-2013-5179 |
264 |
|
Bypass |
2013-10-24 |
2014-03-06 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
App Sandbox in Apple Mac OS X before 10.9 allows attackers to bypass intended sandbox restrictions via a crafted app that uses the LaunchServices interface to specify process arguments. |
|
39 |
CVE-2013-5178 |
264 |
|
|
2013-10-24 |
2014-03-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
LaunchServices in Apple Mac OS X before 10.9 does not properly restrict Unicode characters in filenames, which allows context-dependent attackers to spoof file extensions via a crafted character sequence. |
|
40 |
CVE-2013-5177 |
189 |
|
DoS |
2013-10-24 |
2013-10-24 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The kernel in Apple Mac OS X before 10.9 allows local users to cause a denial of service (panic) via an invalid iovec structure. |
|
41 |
CVE-2013-5176 |
189 |
|
DoS |
2013-10-24 |
2013-10-24 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The kernel in Apple Mac OS X before 10.9 does not properly handle integer values during unspecified tty device operations, which allows local users to cause a denial of service (system hang) by triggering a truncation error. |
|
42 |
CVE-2013-5175 |
20 |
|
DoS +Info |
2013-10-24 |
2013-10-25 |
6.6 |
None |
Local |
Low |
Not required |
Complete |
None |
Complete |
|
The kernel in Apple Mac OS X before 10.9 allows local users to obtain sensitive information or cause a denial of service (out-of-bounds read and system crash) via a crafted Mach-O file. |
|
43 |
CVE-2013-5174 |
189 |
|
DoS |
2013-10-24 |
2013-10-24 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Integer signedness error in the kernel in Apple Mac OS X before 10.9 allows local users to cause a denial of service (system crash) via a crafted tty read operation. |
|
44 |
CVE-2013-5173 |
310 |
|
DoS |
2013-10-24 |
2013-10-25 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The random-number generator in the kernel in Apple Mac OS X before 10.9 provides lengthy exclusive access for processing of large requests, which allows local users to cause a denial of service (temporary generator outage) via an application that requires many random numbers. |
|
45 |
CVE-2013-5172 |
189 |
|
DoS |
2013-10-24 |
2013-10-24 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
The kernel in Apple Mac OS X before 10.9 does not properly determine the output length for SHA-2 digest function calls, which allows context-dependent attackers to cause a denial of service (panic) by triggering a digest operation, as demonstrated by an IPSec connection. |
|
46 |
CVE-2013-5171 |
264 |
|
Bypass |
2013-10-24 |
2013-10-24 |
3.3 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
None |
|
CoreGraphics in Apple Mac OS X before 10.9 allows local users to bypass secure input mode and log an arbitrary application's keystrokes via a hotkey event registration. |
|
47 |
CVE-2013-5170 |
119 |
|
DoS Exec Code Overflow |
2013-10-24 |
2014-04-24 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Buffer underflow in CoreGraphics in Apple Mac OS X before 10.9 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document. |
|
48 |
CVE-2013-5169 |
264 |
|
+Info |
2013-10-24 |
2013-10-25 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
CoreGraphics in Apple Mac OS X before 10.9, when display-sleep mode is used, does not ensure that screen locking blocks the visibility of all windows, which allows physically proximate attackers to obtain sensitive information by reading the screen. |
|
49 |
CVE-2013-5168 |
20 |
|
|
2013-10-24 |
2013-10-24 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Console in Apple Mac OS X before 10.9 allows user-assisted remote attackers to execute arbitrary applications by triggering a log entry with a crafted attached URL. |
|
50 |
CVE-2013-5167 |
16 |
|
|
2013-10-24 |
2013-10-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
CFNetwork in Apple Mac OS X before 10.9 does not properly support Safari's deletion of session cookies in response to a reset operation, which makes it easier for remote web servers to track users via Set-Cookie HTTP headers. |
