This page lists publicly disclosed CVE vulnerabilities affecting apple mac_os_x_server (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2010-1821 | Apple Mac OS X 10.6 through 10.6.3 and Mac OS X Server 10.6 through 10.6.3 allows local users to obtain system privileges. | [email protected] | 7.8 | 0.04% | 2017-04-13 | 2026-05-13 |
| CVE-2010-1816 | Buffer overflow in ImageIO in Apple Mac OS X 10.6 through 10.6.3 and Mac OS X Server 10.6 through 10.6.3 allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a crafted image. | [email protected] | 7.8 | 0.83% | 2017-04-13 | 2026-05-13 |
| CVE-2016-1787 | Wiki Server in Apple OS X Server before 5.1 allows remote attackers to obtain sensitive information from Wiki pages via unspecified vectors. | [email protected] | 5.3 | 0.38% | 2016-03-24 | 2026-05-06 |
| CVE-2016-1777 | Web Server in Apple OS X Server before 5.1 supports the RC4 algorithm, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors. | [email protected] | 7.5 | 0.40% | 2016-03-24 | 2026-05-06 |
| CVE-2016-1776 | Web Server in Apple OS X Server before 5.1 does not properly restrict access to .DS_Store and .htaccess files, which allows remote attackers to obtain sensitive configuration information via an HTTP request. | [email protected] | 5.3 | 0.28% | 2016-03-24 | 2026-05-06 |
| CVE-2016-1774 | The Time Machine server in Server App in Apple OS X Server before 5.1 does not notify the user about ignored permissions during a backup, which makes it easier for remote attackers to obtain sensitive information in opportunistic circumstances by reading backup data that lacks intended restrictions. | [email protected] | 5.3 | 0.32% | 2016-03-24 | 2026-05-06 |
| CVE-2015-7031 | The Web Service component in Apple OS X Server before 5.0.15 omits an unspecified HTTP header configuration, which allows remote attackers to bypass intended access restrictions via unknown vectors. | [email protected] | 5.0 | 0.26% | 2015-10-23 | 2026-05-06 |
| CVE-2015-5911 | Multiple unspecified vulnerabilities in Twisted in Wiki Server in Apple OS X Server before 5.0.3 allow attackers to have an unknown impact via an XML document. | [email protected] | 10.0 | 0.39% | 2015-09-18 | 2026-05-06 |
| CVE-2015-5986 | openpgpkey_61.c in named in ISC BIND 9.9.7 before 9.9.7-P3 and 9.10.x before 9.10.2-P4 allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via a crafted DNS response. | [email protected] | 7.1 | 47.99% | 2015-09-05 | 2026-05-06 |
| CVE-2015-5722 | buffer.c in named in ISC BIND 9.x before 9.9.7-P3 and 9.10.x before 9.10.2-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) by creating a zone containing a malformed DNSSEC key and issuing a query for a name in that zone. | [email protected] | 7.8 | 65.92% | 2015-09-05 | 2026-05-06 |
| CVE-2015-3185 | The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior. | [email protected] | 4.3 | 6.37% | 2015-07-20 | 2026-05-06 |
| CVE-2015-0253 | The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) by sending a request that lacks a method to an installation that enables the INCLUDES filter and has an ErrorDocument 400 directive specifying a local URI. | [email protected] | 5.0 | 10.76% | 2015-07-20 | 2026-05-06 |
| CVE-2015-3165 | Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service (crash) by closing an SSL session at a time when the authentication timeout will expire during the session shutdown sequence. | [email protected] | 4.3 | 8.33% | 2015-05-28 | 2026-05-06 |
| CVE-2015-0228 | The lua_websocket_read function in lua_request.c in the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service (child-process crash) by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade function. | [email protected] | 5.0 | 15.24% | 2015-03-08 | 2026-05-06 |
| CVE-2014-4350 | Buffer overflow in QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MIDI file. | [email protected] | 6.8 | 2.35% | 2014-09-19 | 2026-05-06 |
| CVE-2014-1391 | QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding. | [email protected] | 6.8 | 2.57% | 2014-09-19 | 2026-05-06 |
| CVE-2014-1371 | Array index error in Dock in Apple OS X before 10.9.4 allows attackers to execute arbitrary code or cause a denial of service (incorrect function-pointer dereference and application crash) by leveraging access to a sandboxed application for sending a message. | [email protected] | 7.5 | 0.79% | 2014-07-01 | 2026-05-06 |
| CVE-2014-1370 | The byte-swapping implementation in copyfile in Apple OS X before 10.9.4 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds memory access and application crash) via a crafted AppleDouble file in a ZIP archive. | [email protected] | 6.8 | 1.85% | 2014-07-01 | 2026-05-06 |
| CVE-2014-1296 | CFNetwork in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 does not ensure that a Set-Cookie HTTP header is complete before interpreting the header's value, which allows remote attackers to bypass intended access restrictions by triggering the closing of a TCP connection during transmission of a header, as demonstrated by an HTTPOnly restriction. | [email protected] | 4.3 | 0.25% | 2014-04-23 | 2026-05-06 |
| CVE-2013-5704 | The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such." | [email protected] | 5.0 | 65.04% | 2014-04-15 | 2026-05-06 |