Mission and Overview
NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA).
Resource Status
NVD contains:

Last updated: 1/27/2015 12:46:16 AM

CVE Publication rate: 22.97

Email List

NVD provides four mailing lists to the public. For information and subscription instructions please visit NVD Mailing Lists

Workload Index
Vulnerability Workload Index: 8.54
About Us
NVD is a product of the NIST Computer Security Division and is sponsored by the Department of Homeland Security's National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).
CVE-2015-1308

Summary: kde-workspace 4.2.0 and plasma-workspace before 5.1.95 allows remote attackers to obtain input events, and consequently obtain passwords, by leveraging access to the X server when the screen is locked.

Published: 1/26/2015 10:59:16 AM

CVSS Severity: 4.3 MEDIUM
CVE-2015-1307

Summary: plasma-workspace before 5.1.95 allows remote attackers to obtain passwords via a Trojan horse Look and Feel package.

Published: 1/26/2015 10:59:15 AM

CVSS Severity: 4.3 MEDIUM
CVE-2015-1179

Summary: Multiple cross-site scripting (XSS) vulnerabilities in data_point_details.shtm in Mango Automation 2.4.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dpid, (2) dpxid, or (3) pid parameter.

Published: 1/26/2015 10:59:14 AM

CVSS Severity: 4.3 MEDIUM
CVE-2015-1178

Summary: Multiple cross-site scripting (XSS) vulnerabilities in cart.php in X-Cart 5.1.8 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) product_id or (2) category_id parameter.

Published: 1/26/2015 10:59:13 AM

CVSS Severity: 4.3 MEDIUM
CVE-2014-9573

Summary: SQL injection vulnerability in manage_user_page.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote administrators with FILE privileges to execute arbitrary SQL commands via the MANTIS_MANAGE_USERS_COOKIE cookie.

Published: 1/26/2015 10:59:12 AM

CVSS Severity: 6.0 MEDIUM
CVE-2014-9572

Summary: MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4.

Published: 1/26/2015 10:59:11 AM

CVSS Severity: 7.5 HIGH
CVE-2014-9571

Summary: Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter.

Published: 1/26/2015 10:59:10 AM

CVSS Severity: 4.3 MEDIUM
CVE-2014-8158

Summary: Multiple stack-based buffer overflows in jpc_qmfb.c in JasPer 1.900.1 and earlier allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image.

Published: 1/26/2015 10:59:09 AM

CVSS Severity: 6.8 MEDIUM
CVE-2014-8157

Summary: Off-by-one error in the jpc_dec_process_sot function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image, which triggers a heap-based buffer overflow.

Published: 1/26/2015 10:59:04 AM

CVSS Severity: 7.5 HIGH
CVE-2014-8148

Summary: The default D-Bus access control rule in Midgard2 10.05.7.1 allows local users to send arbitrary method calls or signals to any process on the system bus and possibly execute arbitrary code with root privileges.

Published: 1/26/2015 10:59:00 AM

CVSS Severity: 7.2 HIGH
CVE-2015-0311

Summary: Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Windows and OS X and through 11.2.202.438 on Linux allows remote attackers to execute arbitrary code via unknown vectors, as exploited in the wild in January 2015.

Published: 1/23/2015 4:59:04 PM

CVSS Severity: 10.0 HIGH
CVE-2015-0310

Summary: Adobe Flash Player before 13.0.0.262 and 14.x through 16.x before 16.0.0.287 on Windows and OS X and before 11.2.202.438 on Linux does not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism on Windows, and have an unspecified impact on other platforms, via unknown vectors, as exploited in the wild in January 2015.

Published: 1/23/2015 4:59:00 PM

CVSS Severity: 10.0 HIGH
CVE-2015-1347

Summary: Cross-site scripting (XSS) vulnerability in client.inc.php in osTicket before 1.9.5.1 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.

Published: 1/23/2015 10:59:14 AM

CVSS Severity: 4.3 MEDIUM
CVE-2015-1200

Summary: Race condition in pxz 4.999.99 Beta 3 uses weak file permissions for the output file when compressing a file before changing the permission to match the original file, which allows local users to bypass the intended access restrictions.

Published: 1/23/2015 10:59:12 AM

CVSS Severity: 2.1 LOW
CVE-2015-1180

Summary: Cross-site scripting (XSS) vulnerability in the Web Reports in EventSentry 3.1.0 allows remote attackers to inject arbitrary web script or HTML via the pageId parameter to networktile/bullet.

Published: 1/23/2015 10:59:12 AM

CVSS Severity: 4.3 MEDIUM
CVE-2015-1176

Summary: Cross-site scripting (XSS) vulnerability in upload/scp/tickets.php in osTicket before 1.9.5 allows remote attackers to inject arbitrary web script or HTML via the status parameter in a search action.

Published: 1/23/2015 10:59:11 AM

CVSS Severity: 4.3 MEDIUM
CVE-2014-9640

Summary: oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file.

Published: 1/23/2015 10:59:10 AM

CVSS Severity: 5.0 MEDIUM
CVE-2014-9639

Summary: Integer overflow in oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (crash) via a crafted number of channels in a WAV file, which triggers an out-of-bounds memory access.

Published: 1/23/2015 10:59:09 AM

CVSS Severity: 5.0 MEDIUM
CVE-2014-9638

Summary: oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a WAV file with the number of channels set to zero.

Published: 1/23/2015 10:59:07 AM

CVSS Severity: 5.0 MEDIUM
CVE-2014-9623

Summary: OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quote and cause a denial of service (disk consumption) by deleting an image in the saving state.

Published: 1/23/2015 10:59:06 AM

CVSS Severity: 4.0 MEDIUM