CVSS: 7.3EPSS: 0%CPEs: 17EXPL: 0CVE-2014-3620
https://notcve.org/view.php?id=CVE-2014-3620
18 Nov 2014 — cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain. cURL y libcurl anteriores a 7.38.0 permite a atacantes remotos evadir Same Origin Policy y configurar cookies para sitios arbitrarios mediante la configuración de una cookie de un dominio de nivel superior. • http://curl.haxx.se/docs/adv_20140910B.html • CWE-310: Cryptographic Issues •
CVSS: 7.5EPSS: 1%CPEs: 90EXPL: 0CVE-2014-4453
https://notcve.org/view.php?id=CVE-2014-4453
18 Nov 2014 — Apple iOS before 8.1.1 and OS X before 10.10.1 include location data during establishment of a Spotlight Suggestions server connection by Spotlight or Safari, which might allow remote attackers to obtain sensitive information via unspecified vectors. Apple iOS anterior a 8.1.1 y OS X anterior a 10.10.1 incluiye datos de localización durante el establecimiento de una conexión en el servidor de Spotlight Suggestions por Spotlight o Safari, lo que podría permitir a atacantes remotos obtener información sensibl... • http://lists.apple.com/archives/security-announce/2014/Nov/msg00000.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 86EXPL: 0CVE-2014-4458
https://notcve.org/view.php?id=CVE-2014-4458
18 Nov 2014 — The "System Profiler About This Mac" component in Apple OS X before 10.10.1 includes extraneous cookie data in system-model requests, which might allow remote attackers to obtain sensitive information via unspecified vectors. El componente 'System Profiler About This Mac' en Apple OS X anterior a 10.10.1 incluye datos extraños en la cookie en peticiones 'sistema-modelo', lo que podría permitir a atacantes remotos obtener información sensible a través de vectores no especificados. • http://lists.apple.com/archives/security-announce/2014/Nov/msg00001.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 10%CPEs: 7EXPL: 0CVE-2014-4459
https://notcve.org/view.php?id=CVE-2014-4459
18 Nov 2014 — Use-after-free vulnerability in WebKit, as used in Apple OS X before 10.10.1, allows remote attackers to execute arbitrary code via crafted page objects in an HTML document. Una vulnerabilidad de uso después de liberación en WebKit, usado en Apple OS X anterior a 10.10.1, permite a atacantes ejecutar código arbitrario a través de objetos de página en un documento HTML. • http://lists.apple.com/archives/security-announce/2014/Dec/msg00000.html •
CVSS: 5.3EPSS: 0%CPEs: 91EXPL: 0CVE-2014-4460
https://notcve.org/view.php?id=CVE-2014-4460
18 Nov 2014 — CFNetwork in Apple iOS before 8.1.1 and OS X before 10.10.1 does not properly clear the browsing cache upon a transition out of private-browsing mode, which makes it easier for physically proximate attackers to obtain sensitive information by reading cache files. CFNetwork en Apple iOS anterior a 8.1.1 y OS X anterior a 10.10.1 no limpia debidamente la caché de navegación sobre una transición del modo de navegación privada, lo que facilita a atacantes físicamente próximos obtener información sensible median... • http://lists.apple.com/archives/security-announce/2014/Nov/msg00000.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.3EPSS: 0%CPEs: 18EXPL: 0CVE-2014-4461
https://notcve.org/view.php?id=CVE-2014-4461
18 Nov 2014 — The kernel in Apple iOS before 8.1.1 and Apple TV before 7.0.2 does not properly validate IOSharedDataQueue object metadata, which allows attackers to execute arbitrary code in a privileged context via a crafted application. El kernel en Apple iOS anterior a 8.1.1 y Apple TV anterior a 7.0.2, no valida correctamente los metadatos del objeto IOSharedDataQueue, lo que permite a atacantes ejecutar código remoto en un contexto privilegiado a través de una aplicación manipulada. • http://lists.apple.com/archives/security-announce/2014/Nov/msg00000.html • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 94%CPEs: 25EXPL: 3CVE-2014-8517 – tnftp (FreeBSD 8/9/10) - 'tnftp' Client Side
https://notcve.org/view.php?id=CVE-2014-8517
17 Nov 2014 — The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe) character at the end of an HTTP redirect. La función fetch_url ubicada en usr.bin/ftp/fetch.c en thftp, usada en NetBSD 5.1 en 5.1.4, 5.2 hasta 5.2.2, 6.0 hasta 6.0.6 y 6.1 hasta 6.1.5 permite a atacantes remotos ejecutar comandos arbitrarios a través de un carácter '|' (tubería) al final ... • https://packetstorm.news/files/id/144874 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 116EXPL: 0CVE-2014-3660 – libxml2: denial of service via recursive entity expansion
https://notcve.org/view.php?id=CVE-2014-3660
04 Nov 2014 — parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack. parser.c en libxml2 anterior a 2.9.2 no previene debidamente la expansión de entidades incluso cuando la substitución de entidades haya sido deshabilitada, lo que permite a at... • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-4437
https://notcve.org/view.php?id=CVE-2014-4437
18 Oct 2014 — LaunchServices in Apple OS X before 10.10 allows attackers to bypass intended sandbox restrictions via an application that specifies a crafted handler for the Content-Type field of an object. LaunchServices en Apple OS X anterior a 10.10 permite a atacantes evadir restricciones de sandbox a través de una aplicación que especifica un manejador manipulado para el campo Content-Type de un objeto. • http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-4435
https://notcve.org/view.php?id=CVE-2014-4435
18 Oct 2014 — The "iCloud Find My Mac" feature in Apple OS X before 10.10 does not properly enforce rate limiting of lost-mode PIN entry, which makes it easier for physically proximate attackers to obtain access via a brute-force attack involving a series of reboots. La característica 'iCloud Find My Mac' en Apple OS X anterior a 10.10 no fuerza debidamente el límite de velocidad en la entrada del PIN en el modo perdido, lo que facilita a atacantes físicamente próximos obtener acceso a través de un ataque de fuerza bruta... • http://archives.neohapsis.com/archives/bugtraq/2014-10/0101.html • CWE-287: Improper Authentication •