Weekly Vulnerabilities Reports > September 15 to 21, 2014

Overview

9 new vulnerabilities reported during this period, including 0 critical vulnerabilities and 5 high severity vulnerabilities. This weekly summary report vulnerabilities in 4 products from 1 vendors including and Apple. Vulnerabilities are notably categorized as "Improper Input Validation", "Cryptographic Issues", "Out-of-bounds Write", "Information Exposure", and "Cross-site Scripting".

  • 2 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 8 reported vulnerabilities are exploitable by an anonymous user.
  • Apple has the most reported vulnerabilities, with 9 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

0 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS

5 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-09-18 CVE-2014-4422 Apple Cryptographic Issues vulnerability in Apple Iphone OS and Tvos

The kernel in Apple iOS before 8 and Apple TV before 7 uses a predictable random number generator during the early portion of the boot process, which allows attackers to bypass certain kernel-hardening protection mechanisms by using a user-space process to observe data related to the random numbers.

8.1
2014-09-18 CVE-2014-4418 Apple Improper Input Validation vulnerability in Apple Iphone OS

IOKit in Apple iOS before 8 and Apple TV before 7 does not properly validate IODataQueue object metadata, which allows attackers to execute arbitrary code in a privileged context via an application that provides crafted values in unspecified metadata fields, a different vulnerability than CVE-2014-4388.

7.8
2014-09-18 CVE-2014-4404 Apple Out-of-bounds Write vulnerability in Apple Iphone OS and mac OS X

Heap-based buffer overflow in IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context via an application that provides crafted key-mapping properties.

7.8
2014-09-18 CVE-2014-4388 Apple Improper Input Validation vulnerability in Apple mac OS X

IOKit in Apple iOS before 8 and Apple TV before 7 does not properly validate IODataQueue object metadata, which allows attackers to execute arbitrary code in a privileged context via an application that provides crafted values in unspecified metadata fields, a different vulnerability than CVE-2014-4418.

7.8
2014-09-18 CVE-2014-4375 Apple Unspecified vulnerability in Apple mac OS X

Double free vulnerability in Apple iOS before 8 and Apple TV before 7 allows local users to gain privileges or cause a denial of service (device crash) via vectors related to Mach ports.

7.8

3 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-09-19 CVE-2014-4406 Apple Cross-site Scripting vulnerability in Apple OS X Server

Cross-site scripting (XSS) vulnerability in Xcode Server in CoreCollaboration in Apple OS X Server before 3.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

6.1
2014-09-18 CVE-2014-4364 Apple Cryptographic Issues vulnerability in Apple Iphone OS

The 802.1X subsystem in Apple iOS before 8 and Apple TV before 7 does not require strong authentication methods, which allows remote attackers to calculate credentials by offering LEAP authentication from a crafted Wi-Fi AP and then performing a cryptographic attack against the MS-CHAPv1 hash.

5.6
2014-09-18 CVE-2014-4373 Apple Unspecified vulnerability in Apple Iphone OS

The IntelAccelerator driver in the IOAcceleratorFamily subsystem in Apple iOS before 8 and Apple TV before 7 allows attackers to cause a denial of service (NULL pointer dereference and device restart) via a crafted application.

5.5

1 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2014-09-18 CVE-2014-4407 Apple Information Exposure vulnerability in Apple Iphone OS and Tvos

IOKit in Apple iOS before 8 and Apple TV before 7 does not properly initialize kernel memory, which allows attackers to obtain sensitive memory-content information via an application that makes crafted IOKit function calls.

3.3