U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): cpe:2.3:o:apple:mac_os_x:10.1.0:*:*:*:*:*:*:*
There are 1,935 matching records.
Displaying matches 1,621 through 1,640.
Vuln ID Summary CVSS Severity
CVE-2014-4495

The kernel in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not enforce the read-only attribute of a shared memory segment during use of a custom cache mode, which allows attackers to bypass intended access restrictions via a crafted app.

Published: January 30, 2015; 6:59:24 AM -0500
V3.x:(not available)
V2.0: 10.0 HIGH
CVE-2014-4492

libnetcore in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not verify that certain values have the expected data type, which allows attackers to execute arbitrary code in an _networkd context via a crafted XPC message from a sandboxed app, as demonstrated by lack of verification of the XPC dictionary data type.

Published: January 30, 2015; 6:59:21 AM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-4491

The extension APIs in the kernel in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 do not prevent the presence of addresses within an OSBundleMachOHeaders key in a response, which makes it easier for attackers to bypass the ASLR protection mechanism via a crafted app.

Published: January 30, 2015; 6:59:20 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2014-4489

IOHIDFamily in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not properly initialize event queues, which allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via a crafted app.

Published: January 30, 2015; 6:59:20 AM -0500
V3.x:(not available)
V2.0: 10.0 HIGH
CVE-2014-4488

IOHIDFamily in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not properly validate resource-queue metadata, which allows attackers to execute arbitrary code in a privileged context via a crafted app.

Published: January 30, 2015; 6:59:19 AM -0500
V3.x:(not available)
V2.0: 10.0 HIGH
CVE-2014-4487

Buffer overflow in IOHIDFamily in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 allows attackers to execute arbitrary code in a privileged context via a crafted app.

Published: January 30, 2015; 6:59:18 AM -0500
V3.x:(not available)
V2.0: 10.0 HIGH
CVE-2014-4486

IOAcceleratorFamily in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not properly handle resource lists and IOService userclient types, which allows attackers to execute arbitrary code or cause a denial of service (NULL pointer dereference) via a crafted app.

Published: January 30, 2015; 6:59:17 AM -0500
V3.x:(not available)
V2.0: 10.0 HIGH
CVE-2014-4485

Buffer overflow in the XML parser in Foundation in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted XML document.

Published: January 30, 2015; 6:59:16 AM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-4484

FontParser in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted .dfont file.

Published: January 30, 2015; 6:59:15 AM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-4483

Buffer overflow in FontParser in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted font file in a PDF document.

Published: January 30, 2015; 6:59:14 AM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2014-4481

Integer overflow in CoreGraphics in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document.

Published: January 30, 2015; 6:59:13 AM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2015-0235

Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."

Published: January 28, 2015; 2:59:00 PM -0500
V3.x:(not available)
V2.0: 10.0 HIGH
CVE-2015-0973

Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng before 1.5.21 and 1.6.x before 1.6.16 allows context-dependent attackers to execute arbitrary code via IDAT data with a large width, a different vulnerability than CVE-2014-9495.

Published: January 18, 2015; 1:59:03 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-8151

The darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL (aka SecureTransport) back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.

Published: January 15, 2015; 10:59:07 AM -0500
V3.x:(not available)
V2.0: 5.8 MEDIUM
CVE-2014-9495

Heap-based buffer overflow in the png_combine_row function in libpng before 1.5.21 and 1.6.x before 1.6.16, when running on 64-bit systems, might allow context-dependent attackers to execute arbitrary code via a "very wide interlaced" PNG image.

Published: January 10, 2015; 2:59:00 PM -0500
V3.x:(not available)
V2.0: 10.0 HIGH
CVE-2014-9425

Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP through 5.5.20 and 5.6.x through 5.6.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

Published: December 30, 2014; 9:59:00 PM -0500
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2014-9365

The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Published: December 12, 2014; 6:59:07 AM -0500
V3.x:(not available)
V2.0: 5.8 MEDIUM
CVE-2014-3620

cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain.

Published: November 18, 2014; 10:59:01 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2014-3613

cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.

Published: November 18, 2014; 10:59:00 AM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2014-4461

The kernel in Apple iOS before 8.1.1 and Apple TV before 7.0.2 does not properly validate IOSharedDataQueue object metadata, which allows attackers to execute arbitrary code in a privileged context via a crafted application.

Published: November 18, 2014; 6:59:08 AM -0500
V3.x:(not available)
V2.0: 9.3 HIGH