Vulnerabilities > Apple > Medium

DATE CVE VULNERABILITY TITLE RISK
2014-04-23 CVE-2014-1320 Information Exposure vulnerability in Apple Iphone OS, mac OS X and Tvos
IOKit in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 places kernel pointers into an object data structure, which makes it easier for local users to bypass the ASLR protection mechanism by reading unspecified attributes of the object.
local
low complexity
apple CWE-200
4.9
2014-04-23 CVE-2014-1319 Buffer Errors vulnerability in Apple mac OS X 10.9/10.9.1/10.9.2
Buffer overflow in ImageIO in Apple OS X 10.9.x through 10.9.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted JPEG image.
network
apple CWE-119
6.8
2014-04-23 CVE-2014-1316 Improper Input Validation vulnerability in Apple mac OS X
Heimdal, as used in Apple OS X through 10.9.2, allows remote attackers to cause a denial of service (abort and daemon exit) via ASN.1 data encountered in the Kerberos 5 protocol.
network
low complexity
apple CWE-20
5.0
2014-04-23 CVE-2014-1315 USE of Externally-Controlled Format String vulnerability in Apple mac OS X 10.9/10.9.1/10.9.2
Format string vulnerability in CoreServicesUIAgent in Apple OS X 10.9.x through 10.9.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via format string specifiers in a URL.
network
apple CWE-134
6.8
2014-04-23 CVE-2014-1296 Permissions, Privileges, and Access Controls vulnerability in Apple products
CFNetwork in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 does not ensure that a Set-Cookie HTTP header is complete before interpreting the header's value, which allows remote attackers to bypass intended access restrictions by triggering the closing of a TCP connection during transmission of a header, as demonstrated by an HTTPOnly restriction.
network
apple CWE-264
4.3
2014-04-23 CVE-2014-1295 Improper Authentication vulnerability in Apple Iphone OS, mac OS X and Tvos
Secure Transport in Apple iOS before 7.1.1, Apple OS X 10.8.x and 10.9.x through 10.9.2, and Apple TV before 6.1.1 does not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotiation, which allows man-in-the-middle attackers to obtain sensitive information or modify TLS session data via a "triple handshake attack."
network
apple CWE-287
6.8
2014-04-18 CVE-2014-2856 Cross-Site Scripting vulnerability in Apple Cups
Cross-site scripting (XSS) vulnerability in scheduler/client.c in Common Unix Printing System (CUPS) before 1.7.2 allows remote attackers to inject arbitrary web script or HTML via the URL path, related to the is_path_absolute function.
network
apple CWE-79
4.3
2014-04-08 CVE-2014-0509 Cross-Site Scripting vulnerability in Adobe Air, Adobe AIR SDK and Flash Player
Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 11.7.700.275 and 11.8.x through 13.0.x before 13.0.0.182 on Windows and OS X and before 11.2.202.350 on Linux, Adobe AIR before 13.0.0.83 on Android, Adobe AIR SDK before 13.0.0.83, and Adobe AIR SDK & Compiler before 13.0.0.83 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
4.3
2014-04-08 CVE-2014-0508 Permissions, Privileges, and Access Controls vulnerability in Adobe Air, Adobe AIR SDK and Flash Player
Adobe Flash Player before 11.7.700.275 and 11.8.x through 13.0.x before 13.0.0.182 on Windows and OS X and before 11.2.202.350 on Linux, Adobe AIR before 13.0.0.83 on Android, Adobe AIR SDK before 13.0.0.83, and Adobe AIR SDK & Compiler before 13.0.0.83 allow attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors.
network
low complexity
adobe linux apple microsoft CWE-264
5.0
2014-04-02 CVE-2014-1313 Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Safari
WebKit, as used in Apple Safari before 6.1.3 and 7.x before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-04-01-1.
network
apple CWE-119
6.8