Mission and Overview
NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA).
Resource Status
NVD contains:

Last updated: 10/25/2014 2:57:59 PM

CVE Publication rate: 50.77

Email List

NVD provides four mailing lists to the public. For information and subscription instructions please visit NVD Mailing Lists

Workload Index
Vulnerability Workload Index: 14.81
About Us
NVD is a product of the NIST Computer Security Division and is sponsored by the Department of Homeland Security's National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).
CVE-2014-6611

Summary: The BlackBerry World app before 5.0.0.262 on BlackBerry 10 OS 10.2.0, before 5.0.0.263 on BlackBerry 10 OS 10.2.1, and before 5.1.0.53 on BlackBerry 10 OS 10.3.0 does not properly validate download/update requests, which allows user-assisted man-in-the-middle attackers to spoof servers and trigger the download of a crafted app by modifying the client-server data stream.

Published: 10/25/2014 6:55:06 AM

CVE-2014-6152

Summary: Multiple cross-site scripting (XSS) vulnerabilities in IBM Tivoli Integrated Portal (TIP) 2.2.x allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Published: 10/25/2014 6:55:06 AM

CVE-2014-6151

Summary: CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Published: 10/25/2014 6:55:06 AM

CVE-2014-4624

Summary: EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

Published: 10/25/2014 6:55:06 AM

CVE-2014-4623

Summary: EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack.

Published: 10/25/2014 6:55:06 AM

CVE-2014-4620

Summary: The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

Published: 10/25/2014 6:55:06 AM

CVE-2014-3409

Summary: The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

Published: 10/25/2014 6:55:05 AM

CVE-2014-8760

Summary: ejabberd before 2.1.13 does not enforce the starttls_required setting when compression is used, which causes clients to establish connections without encryption.

Published: 10/24/2014 8:55:05 PM

CVE-2014-7180

Summary: Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Published: 10/24/2014 8:55:04 PM

CVE-2014-6251

Summary: Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

Published: 10/24/2014 8:55:03 PM

CVE-2014-6230

Summary: WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

Published: 10/24/2014 8:55:03 PM

CVE-2014-3604

Summary: Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Published: 10/24/2014 8:55:03 PM

CVE-2014-2021

Summary: Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

Published: 10/24/2014 8:55:02 PM

CVE-2014-8346

Summary: The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

Published: 10/24/2014 6:55:05 AM

CVSS Severity: 7.8 HIGH
CVE-2014-7298

Summary: adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

Published: 10/24/2014 6:55:05 AM

CVSS Severity: 4.9 MEDIUM
CVE-2014-8073

Summary: Cross-site request forgery (CSRF) vulnerability in OpenMRS 2.1 Standalone Edition allows remote attackers to hijack the authentication of administrators for requests that add a new user via a Save User action to admin/users/user.form.

Published: 10/23/2014 10:55:02 AM

CVSS Severity: 6.8 MEDIUM
CVE-2014-8072

Summary: The administration module in OpenMRS 2.1 Standalone Edition allows remote authenticated users to obtain read access via a direct request to /admin.

Published: 10/23/2014 10:55:02 AM

CVSS Severity: 4.0 MEDIUM
CVE-2014-8071

Summary: Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to allergyui/allergy.page; the (6) w10 parameter to htmlformentryui/htmlform/enterHtmlForm/submit.action; the (7) HTTP Referer Header to login.htm; the (8) returnUrl parameter to htmlformentryui/htmlform/enterHtmlFormWithStandardUi.page or (9) coreapps/mergeVisits.page; or the (10) visitId parameter to htmlformentryui/htmlform/enterHtmlFormWithSimpleUi.page.

Published: 10/23/2014 10:55:02 AM

CVSS Severity: 4.3 MEDIUM
CVE-2014-7292

Summary: Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

Published: 10/23/2014 10:55:02 AM

CVSS Severity: 5.8 MEDIUM
CVE-2014-7281

Summary: Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Published: 10/23/2014 10:55:02 AM

CVSS Severity: 6.8 MEDIUM