Mission and Overview
NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA).
Resource Status
NVD contains:

Last updated: 9/5/2015 12:20:39 PM

CVE Publication rate: 20.47

Email List

NVD provides four mailing lists to the public. For information and subscription instructions please visit NVD Mailing Lists

Workload Index
Vulnerability Workload Index: 9.9
About Us
NVD is a product of the NIST Computer Security Division and is sponsored by the Department of Homeland Security's National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).
CVE-2015-6276

Summary: Cisco TelePresence IX5000 8.0.3 stores a private key associated with an X.509 certificate under the web root with insufficient access control, which allows remote attackers to obtain cleartext versions of HTTPS traffic or spoof devices via a direct request to the certificate directory, aka Bug ID CSCuu63501.

Published: 9/4/2015 10:59:05 PM

CVE-2015-5986

Summary: openpgpkey_61.c in named in ISC BIND 9.9.7 before 9.9.7-P3 and 9.10.x before 9.10.2-P4 allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via a crafted DNS response.

Published: 9/4/2015 10:59:04 PM

CVE-2015-5722

Summary: buffer.c in named in ISC BIND 9.x before 9.9.7-P3 and 9.10.x before 9.10.2-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) by creating a zone containing a malformed DNSSEC key and issuing a query for a name in that zone.

Published: 9/4/2015 10:59:03 PM

CVE-2015-2991

Summary: Buffer overflow in NScripter before 3.00 allows remote attackers to execute arbitrary code via crafted save data.

Published: 9/4/2015 10:59:01 PM

CVE-2015-2990

Summary: Directory traversal vulnerability in NEOJAPAN desknet NEO 2.0R1.0 through 2.5R1.4 allows remote authenticated users to read arbitrary files via a crafted parameter.

Published: 9/4/2015 10:59:00 PM

CVE-2015-6812

Summary: Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.0.12.1 allows remote attackers to cause a denial of service (loop and memory consumption) via a crafted URL.

Published: 9/4/2015 1:59:00 PM

CVSS Severity: 7.8 HIGH
CVE-2015-6811

Summary: SQL injection vulnerability in the Sophos Cyberoam CR500iNG-XP firewall appliance with CyberoamOS 10.6.2 MR-1 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter to login.xml.

Published: 9/4/2015 11:59:09 AM

CVSS Severity: 7.5 HIGH
CVE-2015-6810

Summary: Cross-site scripting (XSS) vulnerability in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) 4.x before 4.0.12.1 allows remote authenticated users to inject arbitrary web script or HTML via the event_location[address] array parameter to calendar/submit/.

Published: 9/4/2015 11:59:08 AM

CVSS Severity: 3.5 LOW
CVE-2015-6809

Summary: Multiple cross-site scripting (XSS) vulnerabilities in BEdita before 3.6.0 allow remote attackers to inject arbitrary web script or HTML via the (1) cfg[projectName] parameter to index.php/admin/saveConfig, the (2) data[stats_provider_url] parameter to index.php/areas/saveArea, or the (3) data[description] parameter to index.php/areas/saveSection.

Published: 9/4/2015 11:59:06 AM

CVSS Severity: 4.3 MEDIUM
CVE-2015-6808

Summary: Cross-site scripting (XSS) vulnerability in the Spotlight module 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a node title.

Published: 9/4/2015 11:59:05 AM

CVSS Severity: 3.5 LOW
CVE-2015-6807

Summary: Cross-site scripting (XSS) vulnerability in the Mass Contact module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer mass contact" permission to inject arbitrary web script or HTML via a category label.

Published: 9/4/2015 11:59:04 AM

CVSS Severity: 2.1 LOW
CVE-2015-5688

Summary: Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the PATH_INFO to the default URI.

Published: 9/4/2015 11:59:02 AM

CVSS Severity: 5.0 MEDIUM
CVE-2015-5612

Summary: Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrary web script or HTML via the caption tag of a profile image.

Published: 9/4/2015 11:59:01 AM

CVSS Severity: 4.3 MEDIUM
CVE-2014-9605

Summary: WebUpgrade in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and create a system backup tarball, restart the server, or stop the filters on the server via a ' (single quote) character in the login and password parameters to webupgrade/webupgrade.php. NOTE: this was originally reported as an SQL injection vulnerability, but this may be inaccurate.

Published: 9/4/2015 11:59:00 AM

CVSS Severity: 9.4 HIGH
CVE-2015-6259

Summary: The JavaServer Pages (JSP) component in Cisco Integrated Management Controller (IMC) Supervisor before 1.0.0.1 and UCS Director (formerly Cloupia Unified Infrastructure Controller) before 5.2.0.1 allows remote attackers to write to arbitrary files via crafted HTTP requests, aka Bug IDs CSCus36435 and CSCus62625.

Published: 9/3/2015 9:59:02 PM

CVSS Severity: 9.4 HIGH
CVE-2015-4544

Summary: EMC Documentum Content Server before 7.1P20 and 7.2.x before 7.2P04 does not properly verify authorization for dm_job object access, which allows remote authenticated users to obtain superuser privileges via crafted object operations. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4626.

Published: 9/3/2015 9:59:01 PM

CVSS Severity: 9.0 HIGH
CVE-2015-4538

Summary: The XML parser in EMC Atmos before 2.2.3.426 and 2.3.x before 2.3.1.0 allows remote authenticated users to read arbitrary files or cause a denial of service (CPU and memory consumption) via an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Published: 9/3/2015 9:59:00 PM

CVSS Severity: 7.5 HIGH
CVE-2015-6583

Summary: Google Chrome before 45.0.2454.85 does not display a location bar for a hosted app's window after navigation away from the installation site, which might make it easier for remote attackers to spoof content via a crafted app, related to browser.cc and hosted_app_browser_controller.cc.

Published: 9/3/2015 6:59:16 PM

CVSS Severity: 4.3 MEDIUM
CVE-2015-6582

Summary: The decompose function in platform/transforms/TransformationMatrix.cpp in Blink, as used in Google Chrome before 45.0.2454.85, does not verify that a matrix inversion succeeded, which allows remote attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted web site.

Published: 9/3/2015 6:59:15 PM

CVSS Severity: 6.8 MEDIUM
CVE-2015-6581

Summary: Double free vulnerability in the opj_j2k_copy_default_tcp_and_create_tcd function in j2k.c in OpenJPEG before r3002, as used in PDFium in Google Chrome before 45.0.2454.85, allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by triggering a memory-allocation failure.

Published: 9/3/2015 6:59:14 PM

CVSS Severity: 7.5 HIGH