Apple macOS vulnerabilities
3,139 known vulnerabilities affecting apple/mac_os_x.
Total CVEs
3,139
CISA KEV
26
actively exploited
Public exploits
277
Exploited in wild
28
Severity breakdown
CRITICAL302HIGH1409MEDIUM1236LOW192
Vulnerabilities
Page 99 of 157
CVE-2015-3727MEDIUMCVSS 6.8≤ 10.10.32015-07-03
CVE-2015-3727 [MEDIUM] CWE-264 CVE-2015-3727: WebKit in Apple Safari before 6.2.7, 7.x before 7.1.7, and 8.x before 8.0.7, as used in Apple iOS be
WebKit in Apple Safari before 6.2.7, 7.x before 7.1.7, and 8.x before 8.0.7, as used in Apple iOS before 8.4 and other products, does not properly restrict rename operations on WebSQL tables, which allows remote attackers to access an arbitrary web site's database via a crafted web site.
nvd
CVE-2015-3668MEDIUMCVSS 6.8≤ 10.10.32015-07-03
CVE-2015-3668 [MEDIUM] CVE-2015-3668: QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X before 10.10.4 and other produc
QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X before 10.10.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted file, a different vulnerability than CVE-2015-3661, CVE-2015-3662, CVE-2015-3663, CVE-2015-3666, and CVE-2015-3667.
nvd
CVE-2015-3676MEDIUMCVSS 4.3≤ 10.10.32015-07-03
CVE-2015-3676 [MEDIUM] CWE-200 CVE-2015-3676: AppleGraphicsControl in Apple OS X before 10.10.4 allows attackers to obtain sensitive memory-layout
AppleGraphicsControl in Apple OS X before 10.10.4 allows attackers to obtain sensitive memory-layout information via a crafted app.
nvd
CVE-2015-3689MEDIUMCVSS 6.8≤ 10.10.32015-07-03
CVE-2015-3689 [MEDIUM] CVE-2015-3689: CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote attackers to execute arbitrar
CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted text file, a different vulnerability than CVE-2015-3685, CVE-2015-3686, CVE-2015-3687, and CVE-2015-3688.
nvd
CVE-2015-3711MEDIUMCVSS 4.3≤ 10.10.32015-07-03
CVE-2015-3711 [MEDIUM] CWE-200 CVE-2015-3711: The NTFS implementation in Apple OS X before 10.10.4 allows attackers to obtain sensitive memory-lay
The NTFS implementation in Apple OS X before 10.10.4 allows attackers to obtain sensitive memory-layout information for the kernel via a crafted app.
nvd
CVE-2015-3687MEDIUMCVSS 6.8≤ 10.10.32015-07-03
CVE-2015-3687 [MEDIUM] CVE-2015-3687: CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote attackers to execute arbitrar
CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted text file, a different vulnerability than CVE-2015-3685, CVE-2015-3686, CVE-2015-3688, and CVE-2015-3689.
nvd
CVE-2015-3661MEDIUMCVSS 6.8≤ 10.10.32015-07-03
CVE-2015-3661 [MEDIUM] CWE-119 CVE-2015-3661: QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X before 10.10.4 and other produc
QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X before 10.10.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted file, a different vulnerability than CVE-2015-3662, CVE-2015-3663, CVE-2015-3666, CVE-2015-3667, and CVE-2015-3668.
nvd
CVE-2015-3662MEDIUMCVSS 6.8≤ 10.10.32015-07-03
CVE-2015-3662 [MEDIUM] CVE-2015-3662: QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X before 10.10.4 and other produc
QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X before 10.10.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted file, a different vulnerability than CVE-2015-3661, CVE-2015-3663, CVE-2015-3666, CVE-2015-3667, and CVE-2015-3668.
nvd
CVE-2015-3709MEDIUMCVSS 6.9≤ 10.10.32015-07-03
CVE-2015-3709 [MEDIUM] CWE-362 CVE-2015-3709: Race condition in kext tools in Apple OS X before 10.10.4 allows local users to bypass intended sign
Race condition in kext tools in Apple OS X before 10.10.4 allows local users to bypass intended signature requirements for kernel extensions by leveraging improper pathname validation.
nvd
CVE-2015-3658MEDIUMCVSS 6.8≤ 10.10.32015-07-03
CVE-2015-3658 [MEDIUM] CWE-254 CVE-2015-3658: The Page Loading functionality in WebKit in Apple Safari before 6.2.7, 7.x before 7.1.7, and 8.x bef
The Page Loading functionality in WebKit in Apple Safari before 6.2.7, 7.x before 7.1.7, and 8.x before 8.0.7, as used in Apple iOS before 8.4 and other products, does not properly consider redirects during decisions about sending an Origin header, which makes it easier for remote attackers to bypass CSRF protection mechanisms via a crafted web site.
nvd
CVE-2015-3659MEDIUMCVSS 6.8≤ 10.10.32015-07-03
CVE-2015-3659 [MEDIUM] CWE-264 CVE-2015-3659: The SQLite authorizer in the Storage functionality in WebKit in Apple Safari before 6.2.7, 7.x befor
The SQLite authorizer in the Storage functionality in WebKit in Apple Safari before 6.2.7, 7.x before 7.1.7, and 8.x before 8.0.7, as used in Apple iOS before 8.4 and other products, does not properly restrict access to SQL functions, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted
nvd
CVE-2015-3681MEDIUMCVSS 6.8≤ 10.10.32015-07-03
CVE-2015-3681 [MEDIUM] CVE-2015-3681: Apple Type Services (ATS) in Apple OS X before 10.10.4 allows remote attackers to execute arbitrary
Apple Type Services (ATS) in Apple OS X before 10.10.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font file, a different vulnerability than CVE-2015-3679, CVE-2015-3680, and CVE-2015-3682.
nvd
CVE-2015-3718MEDIUMCVSS 6.8≤ 10.10.32015-07-03
CVE-2015-3718 [MEDIUM] CVE-2015-3718: systemstatsd in the System Stats subsystem in Apple OS X before 10.10.4 does not properly interpret
systemstatsd in the System Stats subsystem in Apple OS X before 10.10.4 does not properly interpret data types encountered in interprocess communication, which allows attackers to execute arbitrary code with systemstatsd privileges via a crafted app, related to a "type confusion" issue.
nvd
CVE-2015-3684MEDIUMCVSS 6.8≤ 10.10.32015-07-03
CVE-2015-3684 [MEDIUM] CWE-119 CVE-2015-3684: The HTTPAuthentication implementation in CFNetwork in Apple iOS before 8.4 and OS X before 10.10.4 a
The HTTPAuthentication implementation in CFNetwork in Apple iOS before 8.4 and OS X before 10.10.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted credentials in a URL.
nvd
CVE-2015-3667MEDIUMCVSS 6.8≤ 10.10.32015-07-03
CVE-2015-3667 [MEDIUM] CVE-2015-3667: QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X before 10.10.4 and other produc
QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X before 10.10.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted file, a different vulnerability than CVE-2015-3661, CVE-2015-3662, CVE-2015-3663, CVE-2015-3666, and CVE-2015-3668.
nvd
CVE-2015-3720MEDIUMCVSS 4.3≤ 10.10.32015-07-03
CVE-2015-3720 [MEDIUM] CWE-200 CVE-2015-3720: The kernel in Apple OS X before 10.10.4 does not properly manage memory in kernel-extension APIs, wh
The kernel in Apple OS X before 10.10.4 does not properly manage memory in kernel-extension APIs, which allows attackers to obtain sensitive memory-layout information via a crafted app.
nvd
CVE-2015-3685MEDIUMCVSS 6.8≤ 10.10.32015-07-03
CVE-2015-3685 [MEDIUM] CWE-119 CVE-2015-3685: CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote attackers to execute arbitrar
CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted text file, a different vulnerability than CVE-2015-3686, CVE-2015-3687, CVE-2015-3688, and CVE-2015-3689.
nvd
CVE-2015-3663MEDIUMCVSS 6.8≤ 10.10.32015-07-03
CVE-2015-3663 [MEDIUM] CVE-2015-3663: QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X before 10.10.4 and other produc
QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X before 10.10.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted file, a different vulnerability than CVE-2015-3661, CVE-2015-3662, CVE-2015-3666, CVE-2015-3667, and CVE-2015-3668.
nvd
CVE-2015-3688MEDIUMCVSS 6.8≤ 10.10.32015-07-03
CVE-2015-3688 [MEDIUM] CVE-2015-3688: CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote attackers to execute arbitrar
CoreText in Apple iOS before 8.4 and OS X before 10.10.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted text file, a different vulnerability than CVE-2015-3685, CVE-2015-3686, CVE-2015-3687, and CVE-2015-3689.
nvd
CVE-2015-4026HIGHCVSS 7.5≤ 10.10.42015-06-09
CVE-2015-4026 [HIGH] CVE-2015-4026: The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 trun
The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character, which might allow remote attackers to bypass intended extension restrictions and execute files with unexpected names via a crafted first argument. NOTE: this vulnerability exists because of an incomplete fix fo
nvd