CVSS: 4.3EPSS: 0%CPEs: 118EXPL: 0CVE-2009-2825
https://notcve.org/view.php?id=CVE-2009-2825
Certificate Assistant in Apple Mac OS X before 10.6.2 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. Certificate Assistant en Apple Mac OS X anterior a v10.6.2 no controla correctamente un caracter '\0' en el nombre de dominio en el campo nombre común del sujeto (CN) de un certificado X.509, lo que podría permitir que atacantes hombre-en-el-medio suplantar a su elección servidores SSL a través de un certificado expedido por una Autoridad de Certificación legítima, una cuestión relacionada con CVE-2009-2408. • http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html http://support.apple.com/kb/HT3937 http://www.securityfocus.com/bid/36956 http://www.vupen.com/english/advisories/2009/3184 • CWE-310: Cryptographic Issues •
CVSS: 4.3EPSS: 0%CPEs: 118EXPL: 0CVE-2009-2823
https://notcve.org/view.php?id=CVE-2009-2823
The Apache HTTP Server in Apple Mac OS X before 10.6.2 enables the HTTP TRACE method, which allows remote attackers to conduct cross-site scripting (XSS) attacks via unspecified web client software. El servidor Apache HTTP en Apple Mac OS X anterior v10.6.2 habilita el método HTTP TRACE, lo que permite a atacantes dirigir ejecuciones de secuencias de comandos en sitios cruzados (XSS) a través de software de clientes web no especificados. • http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html http://support.apple.com/kb/HT3937 http://www.mandriva.com/security/advisories?name=MDVSA-2009:300 http://www.securityfocus.com/bid/36956 http://www.vupen.com/english/advisories/2009/3184 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.6EPSS: 0%CPEs: 118EXPL: 0CVE-2009-2835
https://notcve.org/view.php?id=CVE-2009-2835
The kernel in Apple Mac OS X before 10.6.2 does not properly handle task state segments, which allows local users to gain privileges, cause a denial of service (system crash), or obtain sensitive information via unspecified vectors. El núcleo de Apple Mac OS X anterior a v10.6.2 no controla correctamente los segmentos de estado de la tarea, lo que permite a usuarios locales obtener privilegios, provocar una denegación de servicio (cuelgue del sistema), u obtener información sensible a través de vectores no especificados. • http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html http://support.apple.com/kb/HT3937 http://www.securityfocus.com/bid/36956 http://www.vupen.com/english/advisories/2009/3184 • CWE-20: Improper Input Validation •
CVSS: 4.9EPSS: 0%CPEs: 118EXPL: 0CVE-2009-2834
https://notcve.org/view.php?id=CVE-2009-2834
IOKit in Apple Mac OS X before 10.6.2 allows local users to modify the firmware of a (1) USB or (2) Bluetooth keyboard via unspecified vectors. IOKit en Apple Mac OS X anterior v10.6.2 permite a usuarios locales modificar el firmware de (1) USB o (2) teclado Bluetooth a través de vectores no especificados. • http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html http://support.apple.com/kb/HT3937 http://www.securityfocus.com/bid/36956 http://www.vupen.com/english/advisories/2009/3184 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 118EXPL: 1CVE-2009-2820 – CUPS - 'kerberos' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2009-2820
The web interface in CUPS before 1.4.2, as used on Apple Mac OS X before 10.6.2 and other platforms, does not properly handle (1) HTTP headers and (2) HTML templates, which allows remote attackers to conduct cross-site scripting (XSS) attacks and HTTP response splitting attacks via vectors related to (a) the product's web interface, (b) the configuration of the print system, and (c) the titles of printed jobs, as demonstrated by an XSS attack that uses the kerberos parameter to the admin program, and leverages attribute injection and HTTP Parameter Pollution (HPP) issues. CUPS en Apple Mac OS X anterior a v10.6.2no maneja adecuadamente (1) las cabeceras HTTP y (2) las plantillas HTML, lo que permite a atacantes remotos dirigir ataques de petición de sitios cruzados (XSS) y ataques de separación de respuesta HTTP a través de vectores relacionados con (a) la interfaz web del producto, (b) la configuración del sistema de impresión, y (c) los títulos de los trabajos impresos. • https://www.exploit-db.com/exploits/10001 http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html http://secunia.com/advisories/37308 http://secunia.com/advisories/37360 http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021115.1-1 http://support.apple.com/kb/HT3937 http://www.cups.org/articles.php?L590 http://www.cups.org/documentation.php/relnotes.html http://www.cups.org/str.php?L3367 http://www.mandriva.com/security/advisories?name=MDVSA-2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •