Vulnerabilities > Apple > Medium

DATE CVE VULNERABILITY TITLE RISK
2014-07-29 CVE-2014-5031 Permissions, Privileges, and Access Controls vulnerability in multiple products
The web interface in CUPS before 2.0 does not check that files have world-readable permissions, which allows remote attackers to obtains sensitive information via unspecified vectors.
network
low complexity
apple canonical CWE-264
5.0
2014-07-09 CVE-2014-4671 Cross-Site Request Forgery (CSRF) vulnerability in Adobe Air, Adobe AIR SDK and Flash Player
Adobe Flash Player before 13.0.0.231 and 14.x before 14.0.0.145 on Windows and OS X and before 11.2.202.394 on Linux, Adobe AIR before 14.0.0.137 on Android, Adobe AIR SDK before 14.0.0.137, and Adobe AIR SDK & Compiler before 14.0.0.137 do not properly restrict the SWF file format, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks against JSONP endpoints, and obtain sensitive information, via a crafted OBJECT element with SWF content satisfying the character-set requirements of a callback API.
4.3
2014-07-01 CVE-2014-1383 Permissions, Privileges, and Access Controls vulnerability in Apple Tvos
Apple TV before 6.1.2 allows remote authenticated users to bypass an intended password requirement for iTunes Store purchase transactions via unspecified vectors.
network
low complexity
apple CWE-264
5.5
2014-07-01 CVE-2014-1382 Buffer Errors vulnerability in Apple Iphone OS, Safari and Tvos
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4.
network
apple CWE-119
6.8
2014-07-01 CVE-2014-1372 Permissions, Privileges, and Access Controls vulnerability in Apple mac OS X
Graphics Driver in Apple OS X before 10.9.4 does not properly restrict read operations during processing of an unspecified system call, which allows local users to obtain sensitive information from kernel memory and bypass the ASLR protection mechanism via a crafted call.
local
low complexity
apple CWE-264
4.9
2014-07-01 CVE-2014-1370 Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X and mac OS X Server
The byte-swapping implementation in copyfile in Apple OS X before 10.9.4 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds memory access and application crash) via a crafted AppleDouble file in a ZIP archive.
network
apple CWE-119
6.8
2014-07-01 CVE-2014-1369 Improper Input Validation vulnerability in Apple Safari
WebKit in Apple Safari before 6.1.5 and 7.x before 7.0.5 allows user-assisted remote attackers to access file: URLs by leveraging a URL drag operation that originates at a crafted web site.
network
apple CWE-20
4.3
2014-07-01 CVE-2014-1368 Buffer Errors vulnerability in Apple Iphone OS, Safari and Tvos
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4.
network
apple CWE-119
6.8
2014-07-01 CVE-2014-1367 Buffer Errors vulnerability in Apple Iphone OS, Safari and Tvos
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4.
network
apple CWE-119
6.8
2014-07-01 CVE-2014-1366 Buffer Errors vulnerability in Apple Iphone OS, Safari and Tvos
WebKit, as used in Apple iOS before 7.1.2, Apple Safari before 6.1.5 and 7.x before 7.0.5, and Apple TV before 6.1.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-06-30-1, APPLE-SA-2014-06-30-3, and APPLE-SA-2014-06-30-4.
network
apple CWE-119
6.8