Vulnerabilities > Apple > Iphone OS > 1.1.4

DATE CVE VULNERABILITY TITLE RISK
2015-03-11 CVE-2015-1067 Cryptographic Issues vulnerability in Apple Iphone OS, mac OS X and Tvos
Secure Transport in Apple iOS before 8.2, Apple OS X through 10.10.2, and Apple TV before 7.1 does not properly restrict TLS state transitions, which makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204 and CVE-2015-1637.
network
apple CWE-310
4.3
2015-01-30 CVE-2014-8840 Cryptographic Issues vulnerability in Apple Iphone OS
The iTunes Store component in Apple iOS before 8.1.3 allows remote attackers to bypass a Safari sandbox protection mechanism by leveraging redirection of an SSL URL to the iTunes Store.
network
apple CWE-310
6.8
2015-01-30 CVE-2014-4496 Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS and Tvos
The mach_port_kobject interface in the kernel in Apple iOS before 8.1.3 and Apple TV before 7.0.3 does not properly restrict kernel-address and heap-permutation information, which makes it easier for attackers to bypass the ASLR protection mechanism via a crafted app.
network
low complexity
apple CWE-264
5.0
2015-01-30 CVE-2014-4495 Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS, mac OS X and Tvos
The kernel in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not enforce the read-only attribute of a shared memory segment during use of a custom cache mode, which allows attackers to bypass intended access restrictions via a crafted app.
network
low complexity
apple CWE-264
critical
10.0
2015-01-30 CVE-2014-4494 Improper Input Validation vulnerability in Apple Iphone OS
Springboard in Apple iOS before 8.1.3 does not properly validate signatures when determining whether to solicit an app trust decision from the user, which allows attackers to bypass intended first-launch restrictions by leveraging access to an enterprise distribution certificate for signing a crafted app.
network
apple CWE-20
6.8
2015-01-30 CVE-2014-4493 Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS
The app-installation functionality in MobileInstallation in Apple iOS before 8.1.3 allows attackers to obtain control of the local app container by leveraging access to an enterprise distribution certificate for signing a crafted app.
network
low complexity
apple CWE-264
7.5
2015-01-30 CVE-2014-4492 Data Processing Errors vulnerability in Apple Iphone OS, mac OS X and Tvos
libnetcore in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not verify that certain values have the expected data type, which allows attackers to execute arbitrary code in an _networkd context via a crafted XPC message from a sandboxed app, as demonstrated by lack of verification of the XPC dictionary data type.
network
low complexity
apple CWE-19
7.5
2015-01-30 CVE-2014-4491 Information Exposure vulnerability in Apple Iphone OS, mac OS X and Tvos
The extension APIs in the kernel in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 do not prevent the presence of addresses within an OSBundleMachOHeaders key in a response, which makes it easier for attackers to bypass the ASLR protection mechanism via a crafted app.
network
low complexity
apple CWE-200
5.0
2015-01-30 CVE-2014-4489 Unspecified vulnerability in Apple Iphone OS, mac OS X and Tvos
IOHIDFamily in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not properly initialize event queues, which allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via a crafted app.
network
low complexity
apple
critical
10.0
2015-01-30 CVE-2014-4488 Data Processing Errors vulnerability in Apple Iphone OS, mac OS X and Tvos
IOHIDFamily in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not properly validate resource-queue metadata, which allows attackers to execute arbitrary code in a privileged context via a crafted app.
network
low complexity
apple CWE-19
critical
10.0