| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, as used on iOS before 8.3 and other platforms, does not properly delete browsing-history data from the history.plist file, which allows attackers to obtain sensitive information by reading this file. |
| The Sandbox Profiles component in Apple iOS before 8.3 allows attackers to read the (1) telephone number or (2) e-mail address of a recent contact via a crafted app. |
| The Sandbox Profiles component in Apple iOS before 8.3 and Apple TV before 7.2 allows attackers to discover hardware identifiers via a crafted app. |
| WebKit, as used in Apple iOS before 8.3 and Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, does not properly handle the userinfo field in FTP URLs, which allows remote attackers to trigger incorrect resource access via unspecified vectors. |
| The private-browsing implementation in Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5 allows attackers to obtain sensitive browsing-history information via vectors involving push-notification requests. |
| fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015-1132, CVE-2015-1133, CVE-2015-1134, and CVE-2015-1135. |
| fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015-1131, CVE-2015-1133, CVE-2015-1134, and CVE-2015-1135. |
| fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015-1131, CVE-2015-1132, CVE-2015-1134, and CVE-2015-1135. |
| fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015-1131, CVE-2015-1132, CVE-2015-1133, and CVE-2015-1135. |
| fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015-1131, CVE-2015-1132, CVE-2015-1133, and CVE-2015-1134. |
| Hypervisor in Apple OS X before 10.10.3 allows local users to cause a denial of service via unspecified vectors. |
| ImageIO in Apple OS X before 10.10.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted .sgi file. |
| Open Directory Client in Apple OS X before 10.10.3 sends unencrypted password-change requests in certain circumstances involving missing certificates, which allows remote attackers to obtain sensitive information by sniffing the network. |
| Screen Sharing in Apple OS X before 10.10.3 stores the password of a user in a log file, which might allow context-dependent attackers to obtain sensitive information by reading this file. |
| RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to obtain sensitive RSS feed URLs and ticket data via unspecified vectors. |
| The DebuggerFunction::InitAgentHost function in browser/extensions/api/debugger/debugger_api.cc in Google Chrome before 41.0.2272.76 does not properly restrict what URLs are available as debugger targets, which allows remote attackers to bypass intended access restrictions via a crafted extension. |
| The SearchEngineTabHelper::OnPageHasOSDD function in browser/ui/search_engines/search_engine_tab_helper.cc in Google Chrome before 42.0.2311.90 does not prevent use of a file: URL for an OpenSearch descriptor XML document, which might allow remote attackers to obtain sensitive information from local files via a crafted (1) http or (2) https web site. |
| The URLRequest::GetHSTSRedirect function in url_request/url_request.cc in Google Chrome before 42.0.2311.90 does not replace the ws scheme with the wss scheme whenever an HSTS Policy is active, which makes it easier for remote attackers to obtain sensitive information by sniffing the network for WebSocket traffic. |
| android/java/src/org/chromium/chrome/browser/WebsiteSettingsPopup.java in Google Chrome before 43.0.2357.65 on Android does not properly restrict use of a URL's fragment identifier during construction of a page-info popup, which allows remote attackers to spoof the URL bar or deliver misleading popup content via crafted text. |
| The LocalFrame::isURLAllowed function in core/frame/LocalFrame.cpp in Blink, as used in Google Chrome before 44.0.2403.89, does not properly check for a page's maximum number of frames, which allows remote attackers to cause a denial of service (invalid count value and use-after-free) or possibly have unspecified other impact via crafted JavaScript code that makes many createElement calls for IFRAME elements. |
