2024

2023

2022

2021

2020

2019

CVE-2019-13450 (v3: 6.5) 9 Jul 2019
In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424. NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled. Blocking exploitation requires additional steps, such as the ZDisableVideo preference and/or killing the web server, deleting the ~/.zoomus directory, and creating a ~/.zoomus plain file.
CVE-2019-5585 (v3: 6.1) 9 Apr 2019
An improper access control vulnerability in FortiClientMac before 6.0.5 may allow an attacker to affect the application's performance via modifying the contents of a file used by several FortiClientMac processes.

2018

2017

2016

CVE-2016-4694 (v3: 9.1) 25 Sep 2016
The Apache HTTP Server in Apple OS X before 10.12 and OS X Server before 5.2 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted CGI client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue, a related issue to CVE-2016-5387.
CVE-2016-1842 (v3: 7.5) 20 May 2016
MapKit in Apple iOS before 9.3.2, OS X before 10.11.5, and watchOS before 2.2.1 does not use HTTPS for shared links, which allows remote attackers to obtain sensitive information by sniffing the network for HTTP traffic.
CVE-2016-1844 (v3: 5.3) 20 May 2016
The Messages component in Apple OS X before 10.11.5 mishandles roster changes, which allows remote attackers to modify contact lists via unspecified vectors.
CVE-2016-1797 (v3: 7.8) 20 May 2016
Apple Type Services (ATS) in Apple OS X before 10.11.5 allows attackers to bypass intended FontValidator sandbox-policy restrictions and execute arbitrary code in a privileged context via a crafted app.
CVE-2016-1805 (v3: 7.8) 20 May 2016
CoreStorage in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privileged context via a crafted app.
CVE-2016-1806 (v3: 7.8) 20 May 2016
Crash Reporter in Apple OS X before 10.11.5 allows attackers to execute arbitrary code in a privileged context via a crafted app.
CVE-2016-1770 (v3: 6.5) 24 Mar 2016
The Reminders component in Apple OS X before 10.11.4 allows attackers to bypass an intended user-confirmation requirement and trigger a dialing action via a tel: URL.
CVE-2016-1774 (v3: 5.3) 24 Mar 2016
The Time Machine server in Server App in Apple OS X Server before 5.1 does not notify the user about ignored permissions during a backup, which makes it easier for remote attackers to obtain sensitive information in opportunistic circumstances by reading backup data that lacks intended restrictions.
CVE-2016-1776 (v3: 5.3) 24 Mar 2016
Web Server in Apple OS X Server before 5.1 does not properly restrict access to .DS_Store and .htaccess files, which allows remote attackers to obtain sensitive configuration information via an HTTP request.

2015

CVE-2015-6984 (v2: 8.8) 23 Oct 2015
libarchive in Apple OS X before 10.11.1 allows attackers to write to arbitrary files via a crafted app that conducts an unspecified symlink attack.
CVE-2015-5913 (v2: 6.8) 9 Oct 2015
Heimdal, as used in Apple OS X before 10.11, allows remote attackers to conduct replay attacks against the SMB server via packet data that represents a Kerberos authenticated request.
CVE-2015-3806 (v2: 7.2) 17 Aug 2015
Apple iOS before 8.4.1 and OS X before 10.10.5 allow local users to bypass a code-signing protection mechanism by appending code to a crafted executable file.
CVE-2015-3757 (v2: 2.1) 17 Aug 2015
Apple OS X before 10.10.5 does not properly restrict access to the Date & Time preferences pane, which allows local users to spoof the time by visiting this pane.
CVE-2015-3671 (v2: 7.2) 3 Jul 2015
Admin Framework in Apple OS X before 10.10.4 does not properly verify XPC entitlements, which allows local users to bypass authentication and obtain admin privileges via unspecified vectors.
CVE-2015-3672 (v2: 7.2) 3 Jul 2015
Admin Framework in Apple OS X before 10.10.4 does not properly handle authentication errors, which allows local users to obtain admin privileges via unspecified vectors.
CVE-2015-3675 (v2: 5) 3 Jul 2015
The default configuration of the Apache HTTP Server on Apple OS X before 10.10.4 does not enable the mod_hfs_apple module, which allows remote attackers to bypass HTTP authentication via a crafted URL.
CVE-2015-3691 (v2: 9.3) 3 Jul 2015
The Monitor Control Command Set kernel extension in the Display Drivers subsystem in Apple OS X before 10.10.4 allows attackers to execute arbitrary code in a privileged context via a crafted app that leverages control of a function pointer.
CVE-2015-3692 (v2: 6.8) 3 Jul 2015
Apple Mac EFI before 2015-001, as used in OS X before 10.10.4 and other products, does not enforce a locking protection mechanism upon being woken from sleep, which allows local users to conduct EFI flash attacks by leveraging root privileges.