APPLE-SA-2016-07-18-1

APPLE-SA-2016-07-18-2

APPLE-SA-2016-07-18-3

APPLE-SA-2016-07-18-4

APPLE-SA-2016-07-18-6

91826

1036348

FEDORA-2019-320d5295fc

https://support.apple.com/HT206899

https://support.apple.com/HT206901

https://support.apple.com/HT206902

https://support.apple.com/HT206903

https://support.apple.com/HT206904

https://support.apple.com/HT206905

According to the versions of the libxslt packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The xsltStylePreCompute function in preproc.c in     libxslt 1.1.28 does not check if the parent node is an     element, which allows attackers to cause a denial of     service via a crafted XML file, related to a 'type     confusion' issue.(CVE-2015-7995)

  - numbers.c in libxslt before 1.1.29, as used in Google     Chrome before 51.0.2704.63, mishandles namespace nodes,     which allows remote attackers to cause a denial of     service (out-of-bounds heap memory access) or possibly     have unspecified other impact via a crafted     document.(CVE-2016-1683)

  - numbers.c in libxslt before 1.1.29, as used in Google     Chrome before 51.0.2704.63, mishandles the i format     token for xsl:number data, which allows remote     attackers to cause a denial of service (integer     overflow or resource consumption) or possibly have     unspecified other impact via a crafted     document.(CVE-2016-1684)

  - libxslt in Apple iOS before 9.3.3, OS X before 10.11.6,     iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on     Windows, tvOS before 9.2.2, and watchOS before 2.2.2     allows remote attackers to cause a denial of service     (memory corruption) or possibly have unspecified other     impact via unknown vectors, a different vulnerability     than CVE-2016-4608, CVE-2016-4609, CVE-2016-4610, and     CVE-2016-4612.(CVE-2016-4607)

  - libxslt in Apple iOS before 9.3.3, OS X before 10.11.6,     iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on     Windows, tvOS before 9.2.2, and watchOS before 2.2.2     allows remote attackers to cause a denial of service     (memory corruption) or possibly have unspecified other     impact via unknown vectors, a different vulnerability     than CVE-2016-4607, CVE-2016-4609, CVE-2016-4610, and     CVE-2016-4612.(CVE-2016-4608)

  - libxslt in Apple iOS before 9.3.3, OS X before 10.11.6,     iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on     Windows, tvOS before 9.2.2, and watchOS before 2.2.2     allows remote attackers to cause a denial of service     (memory corruption) or possibly have unspecified other     impact via unknown vectors, a different vulnerability     than CVE-2016-4607, CVE-2016-4608, CVE-2016-4610, and     CVE-2016-4612.(CVE-2016-4609)

  - libxslt in Apple iOS before 9.3.3, OS X before 10.11.6,     iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on     Windows, tvOS before 9.2.2, and watchOS before 2.2.2     allows remote attackers to cause a denial of service     (memory corruption) or possibly have unspecified other     impact via unknown vectors, a different vulnerability     than CVE-2016-4607, CVE-2016-4608, CVE-2016-4609, and     CVE-2016-4612.(CVE-2016-4610)

  - In xsltCopyText in transform.c in libxslt 1.1.33, a     pointer variable isn't reset under certain     circumstances. If the relevant memory area happened to     be freed and reused in a certain way, a bounds check     could fail and memory outside a buffer could be written     to, or uninitialized data could be     disclosed.(CVE-2019-18197)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libxslt packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - This C library allows to transform XML files into other     XML files (or HTML, text, ...) using the standard XSLT     stylesheet transformation mechanism. To use it you need     to have a version of libxml2 i1/4z= 2.6.27 installed. The     xsltproc command is a command line interface to the     XSLT engine.Security Fix(es):In xsltCopyText in     transform.c in libxslt 1.1.33, a pointer variable isn't     reset under certain circumstances. If the relevant     memory area happened to be freed and reused in a     certain way, a bounds check could fail and memory     outside a buffer could be written to, or uninitialized     data could be disclosed.(CVE-2019-18197)The     xsltStylePreCompute function in preproc.c in libxslt     1.1.28 does not check if the parent node is an element,     which allows attackers to cause a denial of service via     a crafted XML file, related to a 'type confusion'     issue.(CVE-2015-7995)numbers.c in libxslt before     1.1.29, as used in Google Chrome before 51.0.2704.63,     mishandles namespace nodes, which allows remote     attackers to cause a denial of service (out-of-bounds     heap memory access) or possibly have unspecified other     impact via a crafted document.(CVE-2016-1683)numbers.c     in libxslt before 1.1.29, as used in Google Chrome     before 51.0.2704.63, mishandles the i format token for     xsl:number data, which allows remote attackers to cause     a denial of service (integer overflow or resource     consumption) or possibly have unspecified other impact     via a crafted document.(CVE-2016-1684)libxslt in Apple     iOS before 9.3.3, OS X before 10.11.6, iTunes before     12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS     before 9.2.2, and watchOS before 2.2.2 allows remote     attackers to cause a denial of service (memory     corruption) or possibly have unspecified other impact     via unknown vectors, a different vulnerability than     CVE-2016-4608, CVE-2016-4609, CVE-2016-4610, and     CVE-2016-4612.(CVE-2016-4607)libxslt in Apple iOS     before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2     on Windows, iCloud before 5.2.1 on Windows, tvOS before     9.2.2, and watchOS before 2.2.2 allows remote attackers     to cause a denial of service (memory corruption) or     possibly have unspecified other impact via unknown     vectors, a different vulnerability than CVE-2016-4607,     CVE-2016-4609, CVE-2016-4610, and     CVE-2016-4612.(CVE-2016-4608)libxslt in Apple iOS     before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2     on Windows, iCloud before 5.2.1 on Windows, tvOS before     9.2.2, and watchOS before 2.2.2 allows remote attackers     to cause a denial of service (memory corruption) or     possibly have unspecified other impact via unknown     vectors, a different vulnerability than CVE-2016-4607,     CVE-2016-4608, CVE-2016-4610, and     CVE-2016-4612.(CVE-2016-4609)libxslt in Apple iOS     before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2     on Windows, iCloud before 5.2.1 on Windows, tvOS before     9.2.2, and watchOS before 2.2.2 allows remote attackers     to cause a denial of service (memory corruption) or     possibly have unspecified other impact via unknown     vectors, a different vulnerability than CVE-2016-4607,     CVE-2016-4608, CVE-2016-4609, and     CVE-2016-4612.(CVE-2016-4610)** REJECT ** DO NOT USE     THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-1683.
    Reason: This candidate is a reservation duplicate of     CVE-2016-1683. Notes: All CVE users should reference     CVE-2016-1683 instead of this candidate. All references     and descriptions in this candidate have been removed to     prevent accidental usage.(CVE-2016-4612)In numbers.c in     libxslt 1.1.33, an xsl:number with certain format     strings could lead to a uninitialized read in     xsltNumberFormatInsertNumbers. This could allow an     attacker to discern whether a byte on the stack     contains the characters A, a, I, i, or 0, or any other     character.(CVE-2019-13117)In numbers.c in libxslt     1.1.33, a type holding grouping characters of an     xsl:number instruction was too narrow and an invalid     character/length combination could be passed to     xsltNumberFormatDecimal, leading to a read of     uninitialized stack data.(CVE-2019-13118)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to 1.1.33

Fix CVE-2016-1841, CVE-2016-4607, CVE-2016-4608, CVE-2016-4610, CVE-2016-4609, CVE-2019-11068, CVE-2016-1684, CVE-2016-1683, CVE-2016-4738.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The specific version of Mac OS X that the system is running is reportedly affected by the following vulnerabilities:

- Apple Mac OS X contains an unspecified NULL pointer dereference flaw in Audio, which may allow a local attacker to cause a denial of service for the system. (CVE-2016-4649)

- Apple Mac OS X contains a use-after-free flaw in DspFuncLib that is triggered as user-supplied input is not properly validated when handling function IDs. This may allow a local attacker to dereference already freed memory and potentially execute arbitrary code in the context of the kernel. (CVE-2016-4647)

- Apple Mac OS X contains a use-after-free error in the DspFuncLib extension. The issue is triggered when handling error conditions. With a specially crafted file, a local attacker can dereference already freed memory and potentially execute arbitrary code with root privileges. (CVE-2016-4648)

- Apple Mac OS X contains an out-of-bounds read flaw in ACMP4AACBaseDecoder that is triggered during the handling of a specially crafted MOV file. This may allow a context-dependent attacker to disclose user information. (CVE-2016-4646)

- Apple Mac OS X contains an integer overflow in bspatch related to bsdiff that is triggered as bounds are not properly checked. This may allow a local attacker to potentially gain elevated privileges. (CVE-2014-9862)

- Apple Mac OS X contains a permission flaw in CFNetwork that is triggered during the handling of web browser cookies. This may allow a local attacker to view sensitive user information. (CVE-2016-4645)

- Apple Mac OS X contains an out-of-bounds read flaw in CoreGraphics that is triggered as input is not properly validated. This may allow a local attacker to disclose kernel memory. (CVE-2016-4652)

- Multiple Apple products contain a flaw in CoreGraphics. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4637)

- Multiple Apple products contain a flaw in FaceTime that is triggered as user interface inconsistencies occur when handling relayed calls. This may allow a man-in-the-middle attacker to cause a relayed call to continue to transmit audio while the call appears to be terminated. (CVE-2016-4635)

- Apple Mac OS X contains a flaw in Graphics drivers. The issue is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4634)

- Apple Mac OS X contains a flaw in ImageIO. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4629)

- Apple Mac OS X contains a flaw in ImageIO. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4630)

- Multiple Apple products contain an unspecified flaw in ImageIO that is triggered as memory is not properly handled. This may allow a remote attacker to cause a consumption of available memory resources. (CVE-2016-4632)

- Multiple Apple products contain multiple flaws in ImageIO. The issues are triggered as user-supplied input is not properly validated. This may allow a remote attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4631)

- Apple Mac OS X contains multiple flaws in the Intel Graphics driver. The issues are triggered as user-supplied input is not properly validated when handling memory. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4633)

- Multiple Apple products contain an unspecified NULL pointer dereference flaw in IOHIDFamily that is triggered as input is not properly validated. This may allow a local attacker to gain elevated, kernel privileges.  (CVE-2016-4626)

- Apple Mac OS X contains a use-after-free error in IOSurface that is triggered as memory is not properly managed, which may allow a local attacker to dereference already freed memory and gain elevated, kernel privileges. (CVE-2016-4625)

- Multiple Apple products contain a flaw in Sandbox Profiles that is triggered as restrictions are not properly enforced on privileged API calls. This may allow a local attacker to access the process list. (CVE-2016-4594)

- Multiple Apple products contain a flaw in the Kernel that is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code with kernel privileges. (CVE-2016-1863)

- Multiple Apple products contain a flaw in the Kernel that is triggered as user-supplied input is not properly validated. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code with kernel privileges. (CVE-2016-4582)

- Multiple Apple products contain an unspecified NULL pointer dereference flaw in Kernel that is triggered as input is not properly validated. This may allow a local attacker to cause a denial of service for the system. (CVE-2016-1865)

- Apple Mac OS X contains multiple flaws in libc++abi. The issues are triggered as user-supplied input is not properly validated when handling memory. This may allow a local attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code with root privileges. (CVE-2016-4621)

- Multiple Apple products contain a flaw in libxml2 that is triggered as user-supplied input is not properly validated. This may allow an attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4614)

- Multiple Apple products contain a flaw in libxml2 that is triggered as user-supplied input is not properly validated. This may allow an attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4615)

- Multiple Apple products contain a flaw in libxml2 that is triggered as user-supplied input is not properly validated. This may allow an attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4616)

- Multiple Apple products contain a flaw in libxml2 that is triggered as user-supplied input is not properly validated. This may allow an attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4619)

- Multiple Apple products contain a flaw in libxslt that is triggered as user-supplied input is not properly validated. This may allow an attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4607)

- Multiple Apple products contain a flaw in libxslt that is triggered as user-supplied input is not properly validated. This may allow an attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4608)

- Multiple Apple products contain a flaw in libxslt that is triggered as user-supplied input is not properly validated. This may allow an attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4609)

- Multiple Apple products contain a flaw in libxslt that is triggered as user-supplied input is not properly validated. This may allow an attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4610)

- Multiple Apple products contain a flaw in libxslt that is triggered as user-supplied input is not properly validated. This may allow an attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4612)

- Apple Mac OS X contains an unspecified type confusion flaw in the Login Window, which may allow a local attacker to gain elevated, root privileges. (CVE-2016-4638)

- Apple Mac OS X contains an overflow condition that is triggered as user-supplied input is not properly validated when interacting with _XRegisterCursorWithData. This may allow a local attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. (CVE-2016-4640)

- Apple Mac OS X contains a type confusion flaw that is triggered by certain _XSetDictionaryForCurrentSession interactions, which may allow a local attacker to gain elevated privileges. (CVE-2016-4641)

- Apple Mac OS X contains an unspecified memory initialization flaw in the Login Window, which may allow a local attacker to cause a denial of service. (CVE-2016-4639)

- Apple Mac OS X contains a flaw in QuickTime. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted SGI file. This may allow a context-dependent attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code. (CVE-2016-4601)

- Apple Mac OS X contains a flaw in QuickTime. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted Photoshop Document (PSD). This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-4599)

- Apple Mac OS X contains a flaw in QuickTime. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted FlashPix Bitmap (FPX) file. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-4596)

- Apple Mac OS X contains a flaw in QuickTime. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted FlashPix Bitmap (FPX) file. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-4597)

- Apple Mac OS X contains a flaw in QuickTime. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted FlashPix Bitmap (FPX) file. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-4600)

- Apple Mac OS X contains a flaw in QuickTime. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted FlashPix Bitmap (FPX) file. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-4602)

- Apple Mac OS X contains a flaw in QuickTime. The issue is triggered as user-supplied input is not properly validated when handling a specially crafted image file. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. (CVE-2016-4598)

- Apple Mac OS X contains a flaw in the Safari Login AutoFill feature that can cause the user's password to be displayed unobfuscated on the screen. This may allow a physically present attacker to potentially gain knowledge of a user's password. (CVE-2016-4595)

- Multiple Apple products contain a flaw in IOPMrootDomain in the kernel that is triggered as certain input is not properly validated. This may allow a local attacker to corrupt memory and potentially execute code with elevated privileges. (CVE-2016-4653)

- Multiple Apple Products contain a flaw in CFNetwork Proxies that is due to the transfer of password information in cleartext. This may allow a man-in-the-middle attacker to gain access to password information. (CVE-2016-4642)

- Multiple Apple Products contain a flaw in CFNetowrk Proxies that is triggered when parsing 407 responses. This may allow a man-in-the-middle attacker to disclose sensitive user information. (CVE-2016-4643)

- Multiple Apple products contain a downgrade flaw in CFNetwork Proxies that is triggered when saving HTTP authentication credentials in the Keychain. This may allow a man-in-the-middle attacker to disclose sensitive user information. (CVE-2016-4644)


The remote host is running a version of iOS 9.3.x prior to version 9.3.3, and the following components contain vulnerabilities :

 - CFNetwork
 - libxml2
 - WebKit
 - CoreGraphics
 - FaceTime
 - ImageIO
 - IOHIDFamily
 - Sandbox
 - Kernel
 - libxslt
 - Calender
 - IOAcceleratorFamily
 - Safari
 - Siri Contacts
 - Web Media

The remote host is running a version of Mac OS X version 10.11.x prior to 10.11.6, and the following components contain vulnerabilities :

 - ACMP4AACBaseDecoder
 - Audio
 - CFNetwork
 - CoreGraphics
 - DspFuncLib
 - FaceTime
 - Graphics
 - IOHIDFamily
 - IOSurface
 - ImageIO
 - Kernel
 - QuickTime
 - Safari
 - Sandbox
 - libxml2

Versions of Apple TV 9.2.x prior to 9.2.2 are affected by multiple vulnerabilities in the following components :

 - CFNetwork
 - CoreGraphics
 - IOAcceleratorFamily
 - IOHIDFamily
 - ImageIO
 - Kernel
 - libxml2
 - libxslt
 - Sandbox

The remote host is running a version of Mac OS X that is 10.9.5 or 10.10.5 and is missing Security Update 2016-004. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache_mod_php (affects 10.10.5 only)
  - CoreGraphics
  - ImageIO
  - libxml2
  - libxslt

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

The remote host is running a version of Mac OS X that is 10.11.x prior to 10.11.6. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache_mod_php
  - Audio
  - bsdiff
  - CFNetwork
  - CoreGraphics
  - FaceTime
  - Graphics Drivers
  - ImageIO
  - Intel Graphics Driver
  - IOHIDFamily
  - IOKit
  - IOSurface
  - Kernel
  - libc++abi
  - libexpat
  - LibreSSL
  - libxml2
  - libxslt
  - Login Window
  - OpenSSL
  - QuickTime
  - Safari Login AutoFill
  - Sandbox Profiles

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

According to its banner, the version of the remote Apple TV device is prior to 9.2.2. It is, therefore, affected by multiple vulnerabilities in the following components :

  - CoreGraphics
  - ImageIO
  - IOAcceleratorFamily
  - IOHIDFamily
  - Kernel
  - libxml2
  - libxslt
  - Sandbox Profiles
  - WebKit
  - WebKit Page Loading

Note that only 4th generation models are affected by the vulnerabilities.

The version of Apple iTunes running on the remote Windows host is prior to 12.4.2. It is, therefore, affected by multiple vulnerabilities :

  - Multiple memory corruption issues exist in the libxslt     component due to improper validation of user-supplied     input. An unauthenticated, remote attacker can exploit     this to cause a denial of service condition or the     execution of arbitrary code. (CVE-2016-1684,     CVE-2016-4607, CVE-2016-4608, CVE-2016-4609,     CVE-2016-4610, CVE-2016-4612)

  - Multiple memory corruption issues exist in the libxml2     component that allow a remote attacker to cause a denial     of service condition or the execution of arbitrary code.
    (CVE-2016-1836, CVE-2016-4447, CVE-2016-4448,     CVE-2016-4483, CVE-2016-4614, CVE-2016-4615,     CVE-2016-4616, CVE-2016-4619)

  - An XXE (Xml eXternal Entity) injection vulnerability     exists in the libxml2 component due to an incorrectly     configured XML parser accepting XML external entities     from an untrusted source. A remote attacker can exploit     this, via a specially crafted XML file, to disclose     arbitrary files and user information. (CVE-2016-4449)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apple iTunes installed on the remote Windows host is prior to 12.4.2. It is, therefore, affected by multiple vulnerabilities :

  - Multiple memory corruption issues exist in the libxslt     component due to improper validation of user-supplied     input. An unauthenticated, remote attacker can exploit     this to cause a denial of service condition or the     execution of arbitrary code. (CVE-2016-1684,     CVE-2016-4607, CVE-2016-4608, CVE-2016-4609,     CVE-2016-4610, CVE-2016-4612)

  - Multiple memory corruption issues exist in the libxml2     component that allow a remote attacker to cause a denial     of service condition or the execution of arbitrary code.
    (CVE-2016-1836, CVE-2016-4447, CVE-2016-4448,     CVE-2016-4483, CVE-2016-4614, CVE-2016-4615,     CVE-2016-4616, CVE-2016-4619)

  - An XXE (Xml eXternal Entity) injection vulnerability     exists in the libxml2 component due to an incorrectly     configured XML parser accepting XML external entities     from an untrusted source. A remote attacker can exploit     this, via a specially crafted XML file, to disclose     arbitrary files and user information. (CVE-2016-4449)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of iOS running on the mobile device is prior to 9.3.3. It is, therefore, affected by multiple vulnerabilities, the most serious of which can result in remote code execution, in the following components :

  - Calendar
  - CoreGraphics
  - FaceTime
  - ImageIO
  - IOAcceleratorFamily
  - IOHIDFamily
  - Kernel
  - libxml2
  - libxslt
  - Safari
  - Sandbox Profiles
  - Siri Contacts
  - Web Media
  - WebKit
  - WebKit JavaScript Bindings
  - WebKit Page Loading

ID	Name	Product	Family	Severity
132162	EulerOS 2.0 SP3 : libxslt (EulerOS-SA-2019-2627)	Nessus	Huawei Local Security Checks	critical
131672	EulerOS 2.0 SP2 : libxslt (EulerOS-SA-2019-2519)	Nessus	Huawei Local Security Checks	critical
126015	Fedora 30 : mingw-libxslt (2019-320d5295fc)	Nessus	Fedora Local Security Checks	high
802026	Mac OS X < 10.11.6 Multiple Vulnerabilities	Log Correlation Engine	Operating System Detection	critical
9445	Apple iOS 9.3.x < 9.3.3 Multiple Vulnerabilities	Nessus Network Monitor	Mobile Devices	high
9441	Mac OS X 10.11.x < 10.11.6 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	critical
9430	Apple TV 9.2.x < 9.2.2 Multiple Vulnerabilities	Nessus Network Monitor	Internet Services	medium
92497	Mac OS X 10.9.5 and 10.10.5 Multiple Vulnerabilities (Security Update 2016-004)	Nessus	MacOS X Local Security Checks	critical
92496	Mac OS X 10.11.x < 10.11.6 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
92494	Apple TV < 9.2.2 Multiple Vulnerabilities	Nessus	Misc.	critical
92411	Apple iTunes < 12.4.2 Multiple Vulnerabilities (uncredentialed check)	Nessus	Peer-To-Peer File Sharing	critical
92410	Apple iTunes < 12.4.2 Multiple Vulnerabilities (credentialed check)	Nessus	Windows	critical
92359	Apple iOS < 9.3.3 Multiple Vulnerabilities	Nessus	Mobile Devices	critical

CVE-2016-4608

critical

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins

critical

critical

high

critical

high

critical

medium

critical

critical

critical

critical

critical

critical