In macOS High Sierra before 10.13.5, an out-of-bounds read was addressed with improved input validation.

An issue was discovered in certain Apple products. iOS before 11.4 is affected. The issue involves the "Magnifier" component. It allows physically proximate attackers to bypass the lock-screen protection mechanism and see the most recent Magnifier image.

A consistency issue existed in the handling of application snapshots. The issue was addressed with improved handling of message deletions. This issue affected versions prior to iOS 12, tvOS 12, watchOS 5.

A lock screen issue allowed access to photos and contacts on a locked device. This issue was addressed by restricting options offered on a locked device. This issue affected versions prior to iOS 12.0.1.

An issue was discovered in certain Apple products. iOS before 11.4 is affected. The issue involves the "Siri" component. It allows physically proximate attackers to bypass the lock-screen protection mechanism and obtain private notification content via Siri.

An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. iCloud before 7.5 on Windows is affected. iTunes before 12.7.5 on Windows is affected. watchOS before 4.3.1 is affected. The issue involves the "Security" component. It allows local users to bypass intended restrictions on the reading of sensitive user information.

An issue was discovered in certain Apple products. iOS before 11.3 is affected. The issue involves the "Files Widget" component. It allows physically proximate attackers to obtain sensitive information by leveraging the display of cached data on a locked device.

In macOS High Sierra before 10.13.4, there was an issue with the handling of smartcard PINs. This issue was addressed with additional logic.

Notes in Apple OS X before 10.11 misparses links, which allows local users to obtain sensitive information via unspecified vectors.

CFNetwork in Apple iOS before 9 relies on the hardware UID for its cache encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

Siri in Apple iOS before 9 allows physically proximate attackers to bypass an intended client-side protection mechanism and obtain sensitive content-notification information by listening to a device in the lock-screen state.

XNU in the kernel in Apple iOS before 9 does not properly initialize an unspecified data structure, which allows local users to obtain sensitive memory-layout information via unknown vectors.

Apple iOS before 9.0.2 does not properly restrict the options available on the lock screen, which allows physically proximate attackers to read contact data or view photos via unspecified vectors.

The debugging interfaces in the kernel in Apple OS X before 10.11 allow local users to obtain sensitive memory-layout information via unspecified vectors.

The Lock Screen component in Apple iOS before 8.3 does not properly enforce the limit on incorrect passcode-authentication attempts, which makes it easier for physically proximate attackers to obtain access by making many passcode guesses.

The QuickType feature in the Keyboards subsystem in Apple iOS before 8.3 allows physically proximate attackers to discover passcodes by reading the lock screen during use of a Bluetooth keyboard.

This issue was addressed through improved state management. This issue is fixed in iOS 17.5 and iPadOS 17.5. An attacker with physical access to an iOS device may be able to access notes from the lock screen.

NetworkExtension in Apple iOS before 8.3 stores credentials in VPN configuration logs, which makes it easier for physically proximate attackers to obtain sensitive information by reading a log file.

This issue was addressed through improved state management. This issue is fixed in watchOS 10.5. A person with physical access to a device may be able to view contact information from the lock screen.

The Passcode Lock implementation in Apple iOS before 6 does not properly restrict photo viewing, which allows physically proximate attackers to view arbitrary stored photos by spoofing a time value.

LoginWindow in Apple OS X before 10.10.2 does not transition to the lock-screen state immediately upon being woken from sleep, which allows physically proximate attackers to obtain sensitive information by reading the screen.

UserAccountUpdater in Apple OS X 10.10 before 10.10.2 stores a PDF document's password in a printing preference file, which allows local users to obtain sensitive information by reading a file.

SpotlightIndex in Apple OS X before 10.10.2 does not properly perform deserialization during access to a permission cache, which allows local users to read search results associated with other users' protected files via a Spotlight query.

A lock screen issue allowed access to the share function on a locked device. This issue was addressed by restricting options offered on a locked device. This issue affected versions prior to iOS 12.1.

An issue was discovered in certain Apple products. iOS before 11.4 is affected. The issue involves the "Siri Contacts" component. It allows physically proximate attackers to discover private contact information via Siri.

This issue was addressed with improved entitlements. This issue affected versions prior to iOS 12.

A permissions issue existed in which execute permission was incorrectly granted. This issue was addressed with improved permission validation. This issue affected versions prior to macOS High Sierra 10.13.4.

A logic issue was addressed with improved state management. This issue is fixed in iOS 17.4 and iPadOS 17.4. A user's locked tabs may be briefly visible while switching tab groups when Locked Private Browsing is enabled.

This issue was addressed through improved state management. This issue is fixed in iOS 18.1 and iPadOS 18.1. An attacker may be able to view restricted content from the lock screen.

IOGraphicsFamily in Apple OS X before 10.9.4 allows local users to bypass the ASLR protection mechanism by leveraging read access to a kernel pointer in an IOKit object.

The issue was addressed with improved permissions logic. This issue is fixed in iOS 15.2 and iPadOS 15.2. A person with physical access to an iOS device may be able to access contacts from the lock screen.

A local attacker may be able to view Now Playing information from the lock screen. This issue is fixed in macOS Big Sur 11.4, iOS 14.6 and iPadOS 14.6. A privacy issue in Now Playing was addressed with improved permissions.

This issue was addressed with improved checks. This issue is fixed in iOS 15 and iPadOS 15, watchOS 8. A local attacker may be able to read sensitive information.

The issue was addressed with improved permissions logic. This issue is fixed in iOS 15 and iPadOS 15. An attacker with physical access to a device may be able to see private contact information.

The Starbucks 2.6.1 application for iOS stores sensitive information in plaintext in the Crashlytics log file (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), which allows attackers to discover usernames, passwords, and e-mail addresses via an application that reads session.clslog.

An issue was discovered in certain Apple products. iOS before 10.3.3 is affected. The issue involves the "Notifications" component. It allows physically proximate attackers to read unintended notifications on the lock screen.

This issue was addressed by restricting options offered on a locked device. This issue is fixed in iOS 17.7 and iPadOS 17.7, iOS 18 and iPadOS 18, macOS Sequoia 15. An attacker with physical access to a device may be able to read contact numbers from the lock screen.

The issue was addressed with improved checks. This issue is fixed in iOS 18 and iPadOS 18. An attacker with physical access may be able to access contacts from the lock screen.

The issue was addressed with improved UI handling. This issue is fixed in iOS 14.5 and iPadOS 14.5. A local user may be able to view sensitive information in the app switcher.

This issue was addressed with improved data protection. This issue is fixed in macOS Catalina 10.15.6. A local user may be able to leak sensitive user information.

A lock screen issue allowed access to contacts on a locked device. This issue was addressed with improved state management. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1. A person with physical access to an iOS device may be able to access contacts from the lock screen.

An access issue was addressed with improved memory management. This issue is fixed in macOS Mojave 10.14.4. A local user may be able to view a user’s locked notes.