Apple Safari vulnerabilities

CVE-2016-4651 [MEDIUM] CWE-79 CVE-2016-4651: Cross-site scripting (XSS) vulnerability in the WebKit JavaScript bindings in Apple iOS before 9.3.3 Cross-site scripting (XSS) vulnerability in the WebKit JavaScript bindings in Apple iOS before 9.3.3 and Safari before 9.1.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTTP/0.9 response, related to a "cross-protocol cross-site scripting (XPXSS)" vulnerability.

CVE-2016-4590 [MEDIUM] CWE-20 CVE-2016-4590: WebKit in Apple iOS before 9.3.3 and Safari before 9.1.2 mishandles about: URLs, which allows remote WebKit in Apple iOS before 9.3.3 and Safari before 9.1.2 mishandles about: URLs, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.

CVE-2016-4591 [HIGH] CVE-2016-4591: Safari 9.1.2 Apple Security Update: About the security content of Safari 9.1.2 Product: Safari Version: 9.1.2 CVE: CVE-2016-4591 Component: WebKit Impact: Visiting a maliciously crafted website may leak sensitive data Description: A permissions issue existed in the handling of the location variable. This was addressed though additional ownership checks.

CVE-2016-4589 [HIGH] CVE-2016-4589: Safari 9.1.2 Apple Security Update: About the security content of Safari 9.1.2 Product: Safari Version: 9.1.2 CVE: CVE-2016-4589 Component: WebKit Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed through improved memory handling.

CVE-2016-4585 [MEDIUM] CVE-2016-4585: Safari 9.1.2 Apple Security Update: About the security content of Safari 9.1.2 Product: Safari Version: 9.1.2 CVE: CVE-2016-4585 Component: WebKit Page Loading Impact: A malicious website may exfiltrate data cross-origin Description: A cross-site scripting issue existed in Safari URL redirection. This issue was addressed through improved URL validation on redirection.

CVE-2016-4592 [MEDIUM] CVE-2016-4592: Safari 9.1.2 Apple Security Update: About the security content of Safari 9.1.2 Product: Safari Version: 9.1.2 CVE: CVE-2016-4592 Component: WebKit Impact: Visiting a maliciously crafted webpage may lead to a system denial of service Description: A memory consumption issue was addressed through improved memory handling.

CVE-2016-4583 [LOW] CVE-2016-4583: Safari 9.1.2 Apple Security Update: About the security content of Safari 9.1.2 Product: Safari Version: 9.1.2 CVE: CVE-2016-4583 Component: WebKit Impact: Visiting a malicious website may disclose image data from another website Description: A timing issue existed in the processing of SVG. This issue was addressed through improved validation.

CVE-2016-1864 [MEDIUM] CWE-200 CVE-2016-1864: The XSS auditor in WebKit, as used in Apple iOS before 9.3 and Safari before 9.1, does not properly The XSS auditor in WebKit, as used in Apple iOS before 9.3 and Safari before 9.1, does not properly handle redirects in block mode, which allows remote attackers to obtain sensitive information via a crafted URL.

CVE-2016-1856 [HIGH] CVE-2016-1856: WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1854, CVE-2016-1855, and CVE-2016-1857.

CVE-2016-1857 [HIGH] CVE-2016-1857: WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1854, CVE-2016-1855, and CVE-2016-1856.

CVE-2016-1854 [HIGH] CWE-119 CVE-2016-1854: WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1855, CVE-2016-1856, and CVE-2016-1857.

CVE-2016-1855 [HIGH] CVE-2016-1855: WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1854, CVE-2016-1856, and CVE-2016-1857.

CVE-2016-1859 [HIGH] CWE-119 CVE-2016-1859: The WebKit Canvas implementation in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2 The WebKit Canvas implementation in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

CVE-2016-1858 [MEDIUM] CWE-200 CVE-2016-1858: WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, improperly tr WebKit, as used in Apple iOS before 9.3.2, Safari before 9.1.1, and tvOS before 9.2.1, improperly tracks taint attributes, which allows remote attackers to obtain sensitive information via a crafted web site.

CVE-2016-1849 [LOW] CWE-200 CVE-2016-1849: The "Clear History and Website Data" feature in Apple Safari before 9.1.1, as used in iOS before 9.3 The "Clear History and Website Data" feature in Apple Safari before 9.1.1, as used in iOS before 9.3.2 and other products, mishandles the deletion of browsing history, which might allow local users to obtain sensitive information by leveraging read access to a Safari directory.

CVE-2016-1762 [HIGH] CWE-119 CVE-2016-1762: The xmlNextChar function in libxml2 before 2.9.4 allows remote attackers to cause a denial of servic The xmlNextChar function in libxml2 before 2.9.4 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.

CVE-2016-1783 [HIGH] CWE-119 CVE-2016-1783: WebKit in Apple iOS before 9.3, Safari before 9.1, and tvOS before 9.2 allows remote attackers to ex WebKit in Apple iOS before 9.3, Safari before 9.1, and tvOS before 9.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

CVE-2016-1778 [HIGH] CWE-399 CVE-2016-1778: WebKit in Apple iOS before 9.3 and Safari before 9.1 allows remote attackers to execute arbitrary co WebKit in Apple iOS before 9.3 and Safari before 9.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

CVE-2016-1784 [MEDIUM] CWE-400 CVE-2016-1784: The History implementation in WebKit in Apple iOS before 9.3, Safari before 9.1, and tvOS before 9.2 The History implementation in WebKit in Apple iOS before 9.3, Safari before 9.1, and tvOS before 9.2 allows remote attackers to cause a denial of service (resource consumption and application crash) via a crafted web site.

CVE-2016-1782 [MEDIUM] CWE-284 CVE-2016-1782: WebKit in Apple iOS before 9.3 and Safari before 9.1 does not properly restrict redirects that speci WebKit in Apple iOS before 9.3 and Safari before 9.1 does not properly restrict redirects that specify a TCP port number, which allows remote attackers to bypass intended port restrictions via a crafted web site.