Mission and Overview
NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA).
Resource Status
NVD contains:

Last updated: 10/23/2014 6:11:42 AM

CVE Publication rate: 53.33

Email List

NVD provides four mailing lists to the public. For information and subscription instructions please visit NVD Mailing Lists

Workload Index
Vulnerability Workload Index: 15.4
About Us
NVD is a product of the NIST Computer Security Division and is sponsored by the Department of Homeland Security's National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).
CVE-2014-4766

Summary: IBM Sametime Classic Meeting Server 8.0.x and 8.5.x allows remote attackers to obtain sensitive information by reading an exported Record and Playback (RAP) file.

Published: 10/22/2014 9:55:16 PM

CVE-2014-3829

Summary: displayServiceStatus.php in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) session_id or (2) template_id parameter, related to the command_line variable.

Published: 10/22/2014 9:55:16 PM

CVE-2014-3828

Summary: Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id parameter to views/graphs/graphStatus/displayServiceStatus.php, (4) the mnftr_id parameter to configuration/configObject/traps/GetXMLTrapsForVendor.php, or (5) the index parameter to common/javascript/commandGetArgs/cmdGetExample.php in include/.

Published: 10/22/2014 9:55:16 PM

CVE-2014-8764

Summary: DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (\0) character, which triggers an anonymous bind.

Published: 10/22/2014 10:55:08 AM

CVE-2014-8763

Summary: DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\0) character and a valid user name, which triggers an unauthenticated bind.

Published: 10/22/2014 10:55:08 AM

CVE-2014-8762

Summary: The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote attackers to access arbitrary images via a crafted namespace in the ns parameter.

Published: 10/22/2014 10:55:08 AM

CVE-2014-8761

Summary: inc/template.php in DokuWiki before 2014-05-05a only checks for access to the root namespace, which allows remote attackers to access arbitrary images via a media file details ajax call.

Published: 10/22/2014 10:55:08 AM

CVE-2014-8381

Summary: Multiple cross-site scripting (XSS) vulnerabilities in Megapolis.Portal Manager allow remote attackers to inject arbitrary web script or HTML via the (1) dateFrom or (2) dateTo parameter.

Published: 10/22/2014 10:55:08 AM

CVSS Severity: 4.3 MEDIUM
CVE-2014-8325

Summary: The Calendar Base (cal) extension before 1.5.9 and 1.6.x before 1.6.1 for TYPO3 allows remote attackers to cause a denial of service (resource consumption) via vectors related to the PHP PCRE library.

Published: 10/22/2014 10:55:08 AM

CVE-2014-8088

Summary: The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind.

Published: 10/22/2014 10:55:07 AM

CVE-2014-7968

Summary: VDSM allows remote attackers to cause a denial of service (connection blocking) by keeping an SSL connection open.

Published: 10/22/2014 10:55:07 AM

CVE-2014-7183

Summary: Multiple cross-site scripting (XSS) vulnerabilities in the search.php in LiteCart 1.1.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) query parameter or (2) QUERY_STRING.

Published: 10/22/2014 10:55:06 AM

CVSS Severity: 4.3 MEDIUM
CVE-2014-7182

Summary: Multiple cross-site scripting (XSS) vulnerabilities in the WP Google Maps plugin before 6.0.27 for WordPress allow remote attackers to inject arbitrary web script or HTML via the poly_id parameter in an (1) edit_poly, (2) edit_polyline, or (3) edit_marker action in the wp-google-maps-menu page to wp-admin/admin.php.

Published: 10/22/2014 10:55:06 AM

CVE-2014-6387

Summary: gpc_api.php in MantisBT 1.2.17 and earlier allows remote attackers to bypass authenticated via a password starting will a null byte, which triggers an unauthenticated bind.

Published: 10/22/2014 10:55:06 AM

CVE-2014-6352

Summary: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted OLE object, as exploited in the wild in October 2014 with a crafted PowerPoint document.

Published: 10/22/2014 10:55:06 AM

CVE-2014-3677

Summary: Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

Published: 10/22/2014 10:55:06 AM

CVE-2014-3676

Summary: Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

Published: 10/22/2014 10:55:06 AM

CVE-2014-3675

Summary: Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

Published: 10/22/2014 10:55:06 AM

CVE-2013-7407

Summary: Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Published: 10/22/2014 10:55:06 AM

CVSS Severity: 6.8 MEDIUM
CVE-2014-4450

Summary: The QuickType feature in the Keyboards subsystem in Apple iOS before 8.1 collects typing-prediction data from fields with an off autocomplete attribute, which makes it easier for attackers to discover credentials by reading credential values within unintended DOM input elements.

Published: 10/22/2014 6:55:02 AM

CVSS Severity: 1.9 LOW