Mission and Overview
NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA).
Resource Status
NVD contains:

Last updated: 5/4/2015 12:06:23 AM

CVE Publication rate: 16.83

Email List

NVD provides four mailing lists to the public. For information and subscription instructions please visit NVD Mailing Lists

Workload Index
Vulnerability Workload Index: 6.63
About Us
NVD is a product of the NIST Computer Security Division and is sponsored by the Department of Homeland Security's National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).
CVE-2015-0714

Summary: Multiple cross-site scripting (XSS) vulnerabilities in Cisco Finesse Server 10.0(1), 10.5(1), 10.6(1), and 11.0(1) allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCut53595.

Published: 5/2/2015 10:59:00 AM

CVE-2015-3633

Summary: Foxit Reader, Enterprise Reader, and PhantomPDF before 7.1.5 allow remote attackers to cause a denial of service (memory corruption and crash) via vectors related to digital signatures.

Published: 5/1/2015 11:59:12 AM

CVE-2015-3632

Summary: Foxit Reader, Enterprise Reader, and PhantomPDF before 7.1.5 allow remote attackers to cause a denial of service (memory corruption and crash) via a crafted GIF in a PDF file.

Published: 5/1/2015 11:59:10 AM

CVE-2015-3446

Summary: The Framework Daemon in AlienVault Unified Security Management before 4.15 allows remote attackers to execute arbitrary Python code via a crafted plugin configuration file (.cfg).

Published: 5/1/2015 11:59:08 AM

CVE-2015-3435

Summary: Samsung Security Manager (SSM) before 1.31 allows remote attackers to execute arbitrary code by uploading a file with an HTTP (1) PUT or (2) MOVE request.

Published: 5/1/2015 11:59:08 AM

CVE-2015-3337

Summary: Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.

Published: 5/1/2015 11:59:06 AM

CVE-2015-3153

Summary: The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.

Published: 5/1/2015 11:59:05 AM

CVE-2015-2248

Summary: Cross-site request forgery (CSRF) vulnerability in the user portal in Dell SonicWALL Secure Remote Access (SRA) products with firmware before 7.5.1.0-38sv and 8.x before 8.0.0.1-16sv allows remote attackers to hijack the authentication of users for requests that create bookmarks via a crafted request to cgi-bin/editBookmark.

Published: 5/1/2015 11:59:04 AM

CVE-2015-0257

Summary: Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 uses weak permissions on the directories shared by the ovirt-engine-dwhd service and a plugin during service startup, which allows local users to obtain sensitive information by reading files in the directory.

Published: 5/1/2015 11:59:03 AM

CVE-2015-0237

Summary: Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 ignores the permission to deny snapshot creation during live storage migration between domains, which allows remote authenticated users to cause a denial of service (prevent host start) by creating a long snapshot chain.

Published: 5/1/2015 11:59:02 AM

CVE-2014-8361

Summary: The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request.

Published: 5/1/2015 11:59:01 AM

CVE-2014-3598

Summary: The Jpeg2KImagePlugin plugin in Pillow before 2.5.3 allows remote attackers to cause a denial of service via a crafted image.

Published: 5/1/2015 11:59:00 AM

CVE-2015-1250

Summary: Multiple unspecified vulnerabilities in Google Chrome before 42.0.2311.135 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.

Published: 5/1/2015 6:59:05 AM

CVE-2015-1243

Summary: Use-after-free vulnerability in the MutationObserver::disconnect function in core/dom/MutationObserver.cpp in the DOM implementation in Blink, as used in Google Chrome before 42.0.2311.135, allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering an attempt to unregister a MutationObserver object that is not currently registered.

Published: 5/1/2015 6:59:05 AM

CVSS Severity: 7.5 HIGH
CVE-2015-0914

Summary: EasyCTF before 1.4 does not validate the session ID, which allows remote attackers to obtain access via a crafted HTTP request.

Published: 5/1/2015 6:59:04 AM

CVSS Severity: 5.0 MEDIUM
CVE-2015-0913

Summary: Cross-site scripting (XSS) vulnerability in EasyCTF before 1.4 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Published: 5/1/2015 6:59:03 AM

CVE-2015-0912

Summary: EasyCTF before 1.4 allows remote authenticated users to write executable content to files via unspecified vectors.

Published: 5/1/2015 6:59:02 AM

CVSS Severity: 6.5 MEDIUM
CVE-2015-0712

Summary: The session-manager service in Cisco StarOS 12.0, 12.2(300), 14.0, and 14.0(600) on ASR 5000 devices allows remote attackers to cause a denial of service (service reload and packet loss) via malformed HTTP packets, aka Bug ID CSCud14217.

Published: 5/1/2015 6:59:01 AM

CVSS Severity: 5.0 MEDIUM
CVE-2015-0532

Summary: EMC RSA Identity Management and Governance (IMG) 6.9 before P04 and 6.9.1 before P01 does not properly restrict password resets, which allows remote attackers to obtain access via crafted use of the reset process for an arbitrary valid account name, as demonstrated by a privileged account.

Published: 5/1/2015 6:59:00 AM

CVSS Severity: 7.5 HIGH
CVE-2015-3459

Summary: Hospira Lifecare PCA infusion pump running "SW ver 412" does not require authentication for Telnet sessions, which allows remote attackers to gain root privileges via TCP port 23.

Published: 4/29/2015 7:59:00 PM

CVSS Severity: 10.0 HIGH