Apple iOS vulnerabilities
3,941 known vulnerabilities affecting apple/iphone_os.
Total CVEs
3,941
CISA KEV
92
actively exploited
Public exploits
248
Exploited in wild
79
Severity breakdown
CRITICAL313HIGH1610MEDIUM1731LOW287
Vulnerabilities
Page 176 of 198
CVE-2014-1275MEDIUMCVSS 6.8≤ 7.0.6v7.0+5 more2014-03-14
CVE-2014-1275 [MEDIUM] CWE-119 CVE-2014-1275: Buffer overflow in ImageIO in Apple iOS before 7.1 and Apple TV before 6.1 allows remote attackers t
Buffer overflow in ImageIO in Apple iOS before 7.1 and Apple TV before 6.1 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted JPEG2000 data in a PDF document.
nvd
CVE-2014-1267MEDIUMCVSS 5.8≤ 7.0.6v7.0+5 more2014-03-14
CVE-2014-1267 [MEDIUM] CWE-20 CVE-2014-1267: The Configuration Profiles component in Apple iOS before 7.1 and Apple TV before 6.1 does not proper
The Configuration Profiles component in Apple iOS before 7.1 and Apple TV before 6.1 does not properly evaluate the expiration date of a mobile configuration profile, which allows attackers to bypass intended access restrictions by using a profile after the date has passed.
nvd
CVE-2014-1282MEDIUMCVSS 5.8≤ 7.0.6v7.0+5 more2014-03-14
CVE-2014-1282 [MEDIUM] CWE-264 CVE-2014-1282: The Profiles component in Apple iOS before 7.1 and Apple TV before 6.1 allows attackers to bypass in
The Profiles component in Apple iOS before 7.1 and Apple TV before 6.1 allows attackers to bypass intended configuration-profile visibility requirements via a long name.
nvd
CVE-2014-1289MEDIUMCVSS 6.8≤ 7.0.6v7.0+5 more2014-03-14
CVE-2014-1289 [MEDIUM] CWE-119 CVE-2014-1289: WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute
WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1290, CVE-2014-1291, CVE-2014-1292, CVE-2014-1293, and CVE-2014-1294.
nvd
CVE-2014-1293MEDIUMCVSS 6.8≤ 7.0.6v7.0+5 more2014-03-14
CVE-2014-1293 [MEDIUM] CVE-2014-1293: WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute
WebKit, as used in Apple iOS before 7.1 and Apple TV before 6.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2014-1289, CVE-2014-1290, CVE-2014-1291, CVE-2014-1292, and CVE-2014-1294.
nvd
CVE-2014-1281LOWCVSS 1.9≤ 7.0.6v7.0+5 more2014-03-14
CVE-2014-1281 [LOW] CWE-264 CVE-2014-1281: Photos Backend in Apple iOS before 7.1 does not properly manage the asset-library cache during delet
Photos Backend in Apple iOS before 7.1 does not properly manage the asset-library cache during deletions, which allows physically proximate attackers to obtain sensitive photo data by launching the Photos app and looking under a transparent image.
nvd
CVE-2014-1274LOWCVSS 2.1≤ 7.0.6v7.0+5 more2014-03-14
CVE-2014-1274 [LOW] CWE-200 CVE-2014-1274: FaceTime in Apple iOS before 7.1 allows physically proximate attackers to obtain sensitive FaceTime
FaceTime in Apple iOS before 7.1 allows physically proximate attackers to obtain sensitive FaceTime contact information by using the lock screen for an invalid FaceTime call.
nvd
CVE-2014-1266HIGHCVSS 7.4≥ 6.0, < 6.1.6≥ 7.0, < 7.0.62014-02-22
CVE-2014-1266 [HIGH] CWE-295 CVE-2014-1266: The SSLVerifySignedServerKeyExchange function in libsecurity_ssl/lib/sslKeyExchange.c in the Secure
The SSLVerifySignedServerKeyExchange function in libsecurity_ssl/lib/sslKeyExchange.c in the Secure Transport feature in the Data Security component in Apple iOS 6.x before 6.1.6 and 7.x before 7.0.6, Apple TV 6.x before 6.0.2, and Apple OS X 10.9.x before 10.9.2 does not check the signature in a TLS Server Key Exchange message, which allows man-in-the-m
nvd
CVE-2014-2019MEDIUMCVSS 4.6fixed in 7.12014-02-18
CVE-2014-2019 [MEDIUM] CWE-264 CVE-2014-2019: The iCloud subsystem in Apple iOS before 7.1 allows physically proximate attackers to bypass an inte
The iCloud subsystem in Apple iOS before 7.1 allows physically proximate attackers to bypass an intended password requirement, and turn off the Find My iPhone service or complete a Delete Account action and then associate this service with a different Apple ID account, by entering an arbitrary iCloud Account Password value and a blank iCloud Account D
nvd
CVE-2014-1252HIGHCVSS 7.5≤ 7.02014-01-24
CVE-2014-1252 [HIGH] CWE-415 CVE-2014-1252: Double free vulnerability in Apple Pages 2.x before 2.1 and 5.x before 5.1 allows remote attackers t
Double free vulnerability in Apple Pages 2.x before 2.1 and 5.x before 5.1 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted Microsoft Word file.
nvd
CVE-2013-0340MEDIUMCVSS 6.8fixed in 14.82014-01-21
CVE-2013-0340 [MEDIUM] CWE-611 CVE-2013-0340: expat before version 2.4.0 does not properly handle entities expansion unless an application develop
expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE
nvd
CVE-2013-5196MEDIUMCVSS 6.8≤ 7.0.62013-12-18
CVE-2013-5196 [MEDIUM] CWE-119 CVE-2013-5196: WebKit, as used in Apple Safari before 6.1.1 and 7.x before 7.0.1, allows remote attackers to execut
WebKit, as used in Apple Safari before 6.1.1 and 7.x before 7.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-12-16-1.
nvd
CVE-2013-5199MEDIUMCVSS 6.8≤ 7.0.62013-12-18
CVE-2013-5199 [MEDIUM] CWE-119 CVE-2013-5199: WebKit, as used in Apple Safari before 6.1.1 and 7.x before 7.0.1, allows remote attackers to execut
WebKit, as used in Apple Safari before 6.1.1 and 7.x before 7.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-12-16-1.
nvd
CVE-2013-5198MEDIUMCVSS 6.8≤ 7.0.62013-12-18
CVE-2013-5198 [MEDIUM] CWE-119 CVE-2013-5198: WebKit, as used in Apple Safari before 6.1.1 and 7.x before 7.0.1, allows remote attackers to execut
WebKit, as used in Apple Safari before 6.1.1 and 7.x before 7.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-12-16-1.
nvd
CVE-2013-5197MEDIUMCVSS 6.8≤ 7.0.62013-12-18
CVE-2013-5197 [MEDIUM] CWE-119 CVE-2013-5197: WebKit, as used in Apple Safari before 6.1.1 and 7.x before 7.0.1, allows remote attackers to execut
WebKit, as used in Apple Safari before 6.1.1 and 7.x before 7.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-12-16-1.
nvd
CVE-2013-5228MEDIUMCVSS 6.8≤ 7.0.62013-12-18
CVE-2013-5228 [MEDIUM] CWE-119 CVE-2013-5228: WebKit, as used in Apple Safari before 6.1.1 and 7.x before 7.0.1, allows remote attackers to execut
WebKit, as used in Apple Safari before 6.1.1 and 7.x before 7.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-12-16-1.
nvd
CVE-2013-5225MEDIUMCVSS 6.8≤ 7.0.62013-12-18
CVE-2013-5225 [MEDIUM] CWE-119 CVE-2013-5225: WebKit, as used in Apple Safari before 6.1.1 and 7.x before 7.0.1, allows remote attackers to execut
WebKit, as used in Apple Safari before 6.1.1 and 7.x before 7.0.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2013-12-16-1.
nvd
CVE-2013-5193MEDIUMCVSS 4.7≤ 7.0.3v7.0+2 more2013-11-18
CVE-2013-5193 [MEDIUM] CWE-255 CVE-2013-5193: The App Store component in Apple iOS before 7.0.4 does not properly enforce an intended transaction-
The App Store component in Apple iOS before 7.0.4 does not properly enforce an intended transaction-time password requirement, which allows local users to complete a (1) App purchase or (2) In-App purchase by leveraging previous entry of Apple ID credentials.
nvd
CVE-2013-5162LOWCVSS 2.1≤ 7.0.2v7.0+1 more2013-10-24
CVE-2013-5162 [LOW] CWE-264 CVE-2013-5162: Passcode Lock in Apple iOS before 7.0.3 on iPhone devices allows physically proximate attackers to b
Passcode Lock in Apple iOS before 7.0.3 on iPhone devices allows physically proximate attackers to bypass the passcode-failure disabled state by leveraging certain incorrect visibility of the passcode-entry view after use of the Phone app.
nvd
CVE-2013-5144LOWCVSS 3.3≤ 7.0.2v7.0+1 more2013-10-24
CVE-2013-5144 [LOW] CWE-264 CVE-2013-5144: Passcode Lock in Apple iOS before 7.0.3 on iPhone devices allows physically proximate attackers to b
Passcode Lock in Apple iOS before 7.0.3 on iPhone devices allows physically proximate attackers to bypass an intended passcode requirement, and dial arbitrary telephone numbers, by tapping the emergency-call button during a certain notification and camera-pane state to trigger a NULL pointer dereference.
nvd