National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:apple:safari:1.2.4
There are 927 matching records.
Displaying matches 901 through 920.
Vuln ID Summary CVSS Severity
CVE-2007-6166

Stack-based buffer overflow in Apple QuickTime before 7.3.1, as used in QuickTime Player on Windows XP and Safari on Mac OS X, allows remote Real Time Streaming Protocol (RTSP) servers to execute arbitrary code via an RTSP response with a long Content-Type header.

Published: November 28, 2007; 08:46:00 PM -05:00
    V2: 9.3 HIGH
CVE-2007-4699

The default configuration of Safari in Apple Mac OS X 10.4 through 10.4.10 adds a private key to the keychain with permissions that allow other applications to access the key without warning the user, which might allow other applications to bypass intended access restrictions.

Published: November 14, 2007; 09:46:00 PM -05:00
    V2: 7.5 HIGH
CVE-2007-4692

The tabbed browsing feature in Apple Safari 3 before Beta Update 3.0.4 on Windows, and Mac OS X 10.4 through 10.4.10, allows remote attackers to spoof HTTP authentication for other sites and possibly conduct phishing attacks by causing an authentication sheet to be displayed for a tab that is not active, which makes it appear as if it is associated with the active tab.

Published: November 14, 2007; 07:46:00 PM -05:00
    V2: 4.3 MEDIUM
CVE-2007-4698

Apple Safari 3 before Beta Update 3.0.4 on Windows, and Mac OS X 10.4 through 10.4.10, allows remote attackers to conduct cross-site scripting (XSS) attacks by causing JavaScript events to be associated with the wrong frame.

Published: November 14, 2007; 07:46:00 PM -05:00
    V2: 4.3 MEDIUM
CVE-2007-5450

Unspecified vulnerability in Safari on the Apple iPod touch (aka iTouch) and iPhone 1.1.1 allows user-assisted remote attackers to cause a denial of service (application crash), and enable filesystem browsing by the local user, via a certain TIFF file.

Published: October 14, 2007; 02:17:00 PM -04:00
    V2: 9.3 HIGH
CVE-2007-3758

Safari in Apple iPhone 1.1.1, and Safari 3 before Beta Update 3.0.4 on Windows and in Mac OS X 10.4 through 10.4.10, allows remote attackers to set Javascript window properties for web pages that are in a different domain, which can be leveraged to conduct cross-site scripting (XSS) attacks.

Published: September 27, 2007; 06:17:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-3759

Safari in Apple iPhone 1.1.1, when requested to disable Javascript, does not disable it until Safari is restarted, which might leave Safari open to attacks that the user does not expect.

Published: September 27, 2007; 06:17:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2007-3760

Cross-site scripting (XSS) vulnerability in Safari in Apple iPhone 1.1.1, and Safari 3 before Beta Update 3.0.4 on Windows and Mac OS X 10.4 through 10.4.10, allows remote attackers to inject arbitrary web script or HTML via frame tags.

Published: September 27, 2007; 06:17:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-3761

Cross-site scripting (XSS) vulnerability in Safari in Apple iPhone 1.1.1 allows remote attackers to inject arbitrary web script or HTML by causing Javascript events to be applied to a frame in another domain.

Published: September 27, 2007; 06:17:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-4671

Unspecified vulnerability in Safari in Apple iPhone 1.1.1, and Safari 3 before Beta Update 3.0.4 on Windows and Mac OS X 10.4 through 10.4.10, allows remote attackers to "alter or access" HTTPS content via an HTTP session with a crafted web page that causes Javascript to be applied to HTTPS pages from the same domain.

Published: September 27, 2007; 06:17:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2007-3756

Safari in Apple iPhone 1.1.1, and Safari 3 before Beta Update 3.0.4 on Windows and Mac OS X 10.4 through 10.4.10, allows remote attackers to obtain sensitive information via a crafted web page that identifies the URL of the parent window, even when the parent window is in a different domain.

Published: September 27, 2007; 05:17:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-3757

Safari in Apple iPhone 1.1.1 allows remote user-assisted attackers to trick the iPhone user into making calls to arbitrary telephone numbers via a crafted "tel:" link that causes iPhone to display a different number than the number that will be dialed.

Published: September 27, 2007; 05:17:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-4431

Cross-domain vulnerability in Apple Safari for Windows 3.0.3 and earlier allows remote attackers to bypass the Same Origin Policy, with access from local zones to external domains, via a certain body.innerHTML property value, aka "classic JavaScript frame hijacking."

Published: August 20, 2007; 03:17:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2007-4424

Apple Safari for Windows 3.0.3 and earlier does not prompt the user before downloading a file, which allows remote attackers to download arbitrary files to the desktop of a client system via certain HTML, as demonstrated by a filename in the DATA attribute of an OBJECT element. NOTE: it could be argued that this is not a vulnerability because a dangerous file is not actually launched, but as of 2007, it is generally accepted that web browsers should prompt users before saving dangerous content.

Published: August 18, 2007; 06:17:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-3742

WebKit in Apple Safari 3 Beta before Update 3.0.3, and iPhone before 1.0.1, does not properly handle the interaction between International Domain Name (IDN) support and Unicode fonts, which allows remote attackers to create a URL containing "look-alike characters" (homographs) and possibly perform phishing attacks.

Published: August 03, 2007; 04:17:00 PM -04:00
    V2: 4.3 MEDIUM
CVE-2007-3743

Stack-based buffer overflow in bookmark handling in Apple Safari 3 Beta before Update 3.0.3 on Windows allows user-assisted remote attackers to cause a denial of service (application crash) or execute arbitrary code via a bookmark with a long title.

Published: August 03, 2007; 04:17:00 PM -04:00
    V2: 6.8 MEDIUM
CVE-2007-3482

Cross-domain vulnerability in Apple Safari for Windows 3.0.1 allows remote attackers to bypass the "same origin policy" and access restricted information from other domains via JavaScript that overwrites the document variable and statically sets the document.domain attribute.

Published: June 28, 2007; 02:30:00 PM -04:00
    V2: 7.8 HIGH
CVE-2007-3186

Apple Safari Beta 3.0.1 for Windows allows remote attackers to execute arbitrary commands via shell metacharacters in a URI in the SRC of an IFRAME, as demonstrated using a gopher URI.

Published: June 12, 2007; 06:30:00 PM -04:00
    V2: 9.3 HIGH
CVE-2007-2580

Unspecified vulnerability in Apple Safari allows local users to obtain sensitive information (saved keychain passwords) via the document.loginform.password.value JavaScript parameter loaded from an AppleScript script.

Published: May 09, 2007; 05:19:00 PM -04:00
    V2: 1.9 LOW
CVE-2007-2175

Apple QuickTime Java extensions (QTJava.dll), as used in Safari and other browsers, and when Java is enabled, allows remote attackers to execute arbitrary code via parameters to the toQTPointer method in quicktime.util.QTHandleRef, which can be used to modify arbitrary memory when creating QTPointerRef objects, as demonstrated during the "PWN 2 0WN" contest at CanSecWest 2007.

Published: April 24, 2007; 12:19:00 PM -04:00
    V2: 7.6 HIGH