Filtered by vendor Apple
Subscribe
Total
13030 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-11935 | 3 Apple, Linux, Wolfssl | 3 Macos, Linux Kernel, Wolfssl | 2025-12-03 | N/A | 7.5 HIGH |
| With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. This happened when a server responded to a ClientHello containing psk_dhe_ke without a key_share extension. The re-use of an authenticated PSK connection that on the clients side unexpectedly did not have PFS, reduces the security of the connection. | |||||
| CVE-2025-11934 | 3 Apple, Linux, Wolfssl | 3 Macos, Linux Kernel, Wolfssl | 2025-12-03 | N/A | 2.7 LOW |
| Improper input validation in the TLS 1.3 CertificateVerify signature algorithm negotiation in wolfSSL 5.8.2 and earlier on multiple platforms allows for downgrading the signature algorithm used. For example when a client sends ECDSA P521 as the supported signature algorithm the server previously could respond as ECDSA P256 being the accepted signature algorithm and the connection would continue with using ECDSA P256, if the client supports ECDSA P256. | |||||
| CVE-2025-11933 | 3 Apple, Linux, Wolfssl | 3 Macos, Linux Kernel, Wolfssl | 2025-12-03 | N/A | 6.5 MEDIUM |
| Improper Input Validation in the TLS 1.3 CKS extension parsing in wolfSSL 5.8.2 and earlier on multiple platforms allows a remote unauthenticated attacker to potentially cause a denial-of-service via a crafted ClientHello message with duplicate CKS extensions. | |||||
| CVE-2025-13223 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-12-02 | N/A | 8.8 HIGH |
| Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | |||||
| CVE-2025-43433 | 1 Apple | 6 Ipados, Iphone Os, Safari and 3 more | 2025-12-01 | N/A | 8.8 HIGH |
| The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. Processing maliciously crafted web content may lead to memory corruption. | |||||
| CVE-2025-43431 | 1 Apple | 6 Ipados, Iphone Os, Safari and 3 more | 2025-12-01 | N/A | 8.8 HIGH |
| The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. Processing maliciously crafted web content may lead to memory corruption. | |||||
| CVE-2025-43423 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2025-12-01 | N/A | 2.0 LOW |
| A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2. An attacker with physical access to an unlocked device paired with a Mac may be able to view sensitive user information in system logging. | |||||
| CVE-2025-43422 | 1 Apple | 2 Ipados, Iphone Os | 2025-12-01 | N/A | 4.6 MEDIUM |
| The issue was addressed by adding additional logic. This issue is fixed in iOS 26.1 and iPadOS 26.1. An attacker with physical access to a device may be able to disable Stolen Device Protection. | |||||
| CVE-2025-43360 | 1 Apple | 2 Ipados, Iphone Os | 2025-12-01 | N/A | 5.5 MEDIUM |
| The issue was addressed with improved UI. This issue is fixed in iOS 26 and iPadOS 26. Password fields may be unintentionally revealed. | |||||
| CVE-2025-43300 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2025-11-26 | N/A | 10.0 CRITICAL |
| An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in iOS 15.8.5 and iPadOS 15.8.5, iOS 16.7.12 and iPadOS 16.7.12. Processing a malicious image file may result in memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals. | |||||
| CVE-2025-43374 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2025-11-26 | N/A | 4.3 MEDIUM |
| An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5, visionOS 2.5, macOS Sonoma 14.7.3, macOS Ventura 13.7.3, macOS Sequoia 15.5, watchOS 11.5. An attacker in physical proximity may be able to cause an out-of-bounds read in kernel memory. | |||||
| CVE-2025-31266 | 1 Apple | 2 Macos, Safari | 2025-11-26 | N/A | 4.3 MEDIUM |
| A spoofing issue was addressed with improved truncation when displaying the fully qualified domain name This issue is fixed in Safari 18.5, macOS Sequoia 15.5. A website may be able to spoof the domain name in the title of a pop-up window. | |||||
| CVE-2025-31248 | 1 Apple | 1 Macos | 2025-11-26 | N/A | 5.5 MEDIUM |
| A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Ventura 13.7.3, macOS Sequoia 15.5, macOS Sonoma 14.7.3. An app may be able to access sensitive user data. | |||||
| CVE-2025-31216 | 1 Apple | 2 Ipados, Iphone Os | 2025-11-26 | N/A | 2.4 LOW |
| The issue was addressed with improved checks. This issue is fixed in iPadOS 17.7.7, iOS 18.5 and iPadOS 18.5. An attacker with physical access to a device may be able to override managed Wi-Fi profiles. | |||||
| CVE-2017-7825 | 3 Apple, Debian, Mozilla | 4 Mac Os X, Debian Linux, Firefox and 1 more | 2025-11-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| Several fonts on OS X display some Tibetan and Arabic characters as whitespace. When used in the addressbar as part of an IDN this can be used for domain name spoofing attacks. Note: This attack only affects OS X operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 56, Firefox ESR < 52.4, and Thunderbird < 52.4. | |||||
| CVE-2017-7763 | 3 Apple, Debian, Mozilla | 4 Mac Os X, Debian Linux, Firefox and 1 more | 2025-11-25 | 5.0 MEDIUM | 5.3 MEDIUM |
| Default fonts on OS X display some Tibetan characters as whitespace. When used in the addressbar as part of an IDN this can be used for domain name spoofing attacks. Note: This attack only affects OS X operating systems. Other operating systems are unaffected. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. | |||||
| CVE-2013-0340 | 3 Apple, Libexpat Project, Python | 7 Ipados, Iphone Os, Macos and 4 more | 2025-11-25 | 6.8 MEDIUM | N/A |
| expat before version 2.4.0 does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE. | |||||
| CVE-2025-12725 | 4 Apple, Google, Linux and 1 more | 5 Macos, Android, Chrome and 2 more | 2025-11-25 | N/A | 8.8 HIGH |
| Out of bounds read in WebGPU in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High) | |||||
| CVE-2025-13042 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-11-25 | N/A | 8.8 HIGH |
| Inappropriate implementation in V8 in Google Chrome prior to 142.0.7444.166 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | |||||
| CVE-2025-12728 | 4 Apple, Google, Linux and 1 more | 5 Macos, Android, Chrome and 2 more | 2025-11-25 | N/A | 4.2 MEDIUM |
| Inappropriate implementation in Omnibox in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | |||||