VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-5xuq-n3bu-1bbb

Essentials
Severities (12)
References (17)
Severity details (2)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-5xuq-n3bu-1bbb
Aliases	CVE-2014-1595
Summary	Security researcher Kent Howard reported an Apple issue present in OS X 10.10 (Yosemite) where log files are created by the CoreGraphics framework of OS X in the /tmp local directory. These log files contain a record of all inputs into Mozilla programs during their operation. In versions of OS X from versions 10.6 through 10.9, the CoreGraphics had this logging ability but it was turned off by default. In OS X 10.10, this logging was turned on by default for some applications that use a custom memory allocator, such as jemalloc, because of an initialization bug in the framework. This issue has been addressed in Mozilla products by explicitly turning off the framework's logging of input events. On vulnerable systems, this issue can result in private data such as usernames, passwords, and other inputted data being saved to a log file on the local system. This issue does not affect OS X users prior to 10.10. Users on OS X 10.10 should go to their /tmp folder and delete any files with names beginning with "CGLog_" followed by the name of a Mozilla product, such as "CGLog_firefox".
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-199

Information Management Errors

System	Score	Found at
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2014-1595
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2014-1595
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2014-1595
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2014-1595
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2014-1595
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2014-1595
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2014-1595
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2014-1595
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2014-1595
epss	0.00085	https://api.first.org/data/v1/epss?cve=CVE-2014-1595
cvssv2	2.1	https://nvd.nist.gov/vuln/detail/CVE-2014-1595
generic_textual	high	https://www.mozilla.org/en-US/security/advisories/mfsa2014-90

Reference id	Reference type	URL
		http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html
		https://api.first.org/data/v1/epss?cve=CVE-2014-1595
		https://bugzilla.mozilla.org/show_bug.cgi?id=1092855
		http://support.apple.com/HT204244
		http://www.mozilla.org/security/announce/2014/mfsa2014-90.html
		http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
		http://www.reddit.com/r/netsec/comments/2ocxac/apple_coregraphics_framework_on_os_x_1010_is/
cpe:2.3:a:mozilla:firefox::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox::::::::
cpe:2.3:a:mozilla:firefox:31.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox:31.0:::::::*
cpe:2.3:a:mozilla:firefox:31.1.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox:31.1.0:::::::*
cpe:2.3:a:mozilla:firefox:31.1.1:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox:31.1.1:::::::*
cpe:2.3:a:mozilla:firefox_esr:31.2:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox_esr:31.2:::::::*
cpe:2.3:a:mozilla:thunderbird::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:thunderbird::::::::
cpe:2.3:o:apple:mac_os_x:10.10.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:apple:mac_os_x:10.10.0:::::::*
CVE-2014-1595		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1595
CVE-2014-1595		https://nvd.nist.gov/vuln/detail/CVE-2014-1595
mfsa2014-90		https://www.mozilla.org/en-US/security/advisories/mfsa2014-90

No exploits are available.

Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2014-1595

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Exploit Prediction Scoring System (EPSS)

Percentile	0.24729
EPSS Score	0.00085
Published At	April 1, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:18:11.316102+00:00	Mozilla Importer	Import	https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2014/mfsa2014-90.md	38.0.0