The MCX Desktop Config Profiles implementation in Apple OS X before 10.10 retains web-proxy settings from uninstalled mobile-configuration profiles, which allows remote attackers to obtain sensitive. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable. No vendor patch available.
Mail Service in Apple OS X Server before 4.0 does not enforce SACL changes until after a service restart, which allows remote authenticated users to bypass intended access restrictions in. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable. No vendor patch available.
Dock in Apple OS X before 10.10 does not properly manage the screen-lock state, which allows physically proximate attackers to view windows by leveraging an unattended workstation. Rated low severity (CVSS 2.1), this vulnerability is low attack complexity. No vendor patch available.
Profile Manager in Apple OS X Server before 4.0 allows local users to discover cleartext passwords by reading a file after a (1) profile setup or (2) profile edit occurs. Rated low severity (CVSS 1.9). No vendor patch available.