Vulnerabilities Checklists Product Dictionary Impact Metrics Data Feeds Statistics
Home ISAP/SCAP SCAP Validated Tools SCAP Events About Contact Vendor Comments
Mission and Overview
NVD is the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance (e.g. FISMA).
Resource Status

NVD contains:

30838 CVE Vulnerabilities
160Checklists
141 US-CERT Alerts
2192 US-CERT Vuln Notes
3259OVAL Queries

Last updated:  05/09/08

CVE Publication rate:

14 vulnerabilities / day
Email List

NVD provides four mailing lists to the public. For information and subscription instructions please visit NVD Mailing Lists

Workload Index
Vulnerability Workload Index: 8.00
About Us

NVD is a product of the NIST Computer Security Division and is sponsored by the Department of Homeland Security’s National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA, and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).

Search CVE and CCE Vulnerability Database   (Perform Advanced Search)

(CCE support is under development)

Keyword search:

Try a product or vendor name

Try a CVE standard vulnerability name or OVAL query

Only vulnerabilities that match ALL keywords will be returned

Linux kernel vulnerabilities are categorized separately from vulnerabilities in specific Linux distributions

 

Show only vulnerabilities that have the following associated resources:




Software Flaws (CVE)
Misconfigurations (CCE), under development
US-CERT Technical Alerts
US-CERT Vulnerability Notes
OVAL Queries
NVD now maps to CWE!  See NVD CWE for more details.

Recent CVE Vulnerabilities
CVE-2008-2135  (ezContents)
Publish Date: 5/9/2008   CVSS Severity: 7.5 (High)
Multiple SQL injection vulnerabilities in VisualShapers ezContents 2.0.0 allow remote attackers to execute arbitrary SQL commands via the (1) contentname parameter to showdetails.php and the (2) article parameter to printer.php.

CVE-2008-2134  (NukeET)
Publish Date: 5/9/2008   CVSS Severity: 5.8 (Medium)
The Journal module in Tru-Zone Nuke ET 3.x allows remote attackers to obtain access to arbitrary user accounts, and alter or delete data, via a modified username in an unspecified cookie.

CVE-2008-2133  (NukeET)
Publish Date: 5/9/2008   CVSS Severity: 4.3 (Medium)
Cross-site scripting (XSS) vulnerability in the Journal module in Tru-Zone Nuke ET 3.x allows remote attackers to inject arbitrary web script or HTML via the title parameter in a new entry, as demonstrated by a CSS property in the STYLE attribute of a DIV element, a different vulnerability than CVE-2008-1873.

CVE-2008-2132  (PostcardMentor)
Publish Date: 5/9/2008   CVSS Severity: 7.5 (High)
SQL injection vulnerability in step1.asp in Systementor PostcardMentor allows remote attackers to execute arbitrary SQL commands via the cat_fldAuto parameter.

CVE-2008-2131  (mvnForum)
Publish Date: 5/9/2008   CVSS Severity: 4.3 (Medium)
Cross-site scripting (XSS) vulnerability in mvnForum 1.1 GA allows remote authenticated users to inject arbitrary web script or HTML via the topic field, which is later displayed by user/viewthread.jsp through use of the "quick reply button."

CVE-2008-2130  (CMS)
Publish Date: 5/9/2008   CVSS Severity: 6.8 (Medium)
SQL injection vulnerability in poll_vote.php in iGaming CMS 1.5 allows remote attackers to execute arbitrary SQL commands via the id parameter.

CVE-2008-2129  (Galleristic)
Publish Date: 5/9/2008   CVSS Severity: 6.8 (Medium)
SQL injection vulnerability in index.php in Galleristic 1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the cat parameter.

CVE-2008-2128  (CMS Faethon)
Publish Date: 5/9/2008   CVSS Severity: 6.8 (Medium)
PHP remote file inclusion vulnerability in templates/header.php in CMS Faethon 2.2 Ultimate allows remote attackers to execute arbitrary PHP code via a URL in the mainpath parameter, a different vulnerability than CVE-2006-5588 and CVE-2006-3185.

CVE-2008-2127  (CMS Faethon)
Publish Date: 5/9/2008   CVSS Severity: 7.5 (High)
Cross-site scripting (XSS) vulnerability in search.php in CMS Faethon 2.2 Ultimate allows remote attackers to inject arbitrary web script or HTML via the what parameter. NOTE: some of these details are obtained from third party information.

CVE-2008-2126  (CMS)
Publish Date: 5/9/2008   CVSS Severity: 7.5 (High)
Multiple cross-site scripting (XSS) vulnerabilities in Tux CMS 0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) q parameter to index.php and the (2) returnURL parameter to tux-login.php.

CVE-2008-2125  (MusicBox)
Publish Date: 5/9/2008   CVSS Severity: 7.5 (High)
SQL injection vulnerability in viewalbums.php in Musicbox 2.3.6 and 2.3.7 allows remote attackers to execute arbitrary SQL commands via the artistId parameter.

CVE-2008-2124  (fipsCMS)
Publish Date: 5/9/2008   CVSS Severity: 7.5 (High)
SQL injection vulnerability in modules/print.asp in fipsASP fipsCMS allows remote attackers to execute arbitrary SQL commands via the lg parameter.

CVE-2008-2123  (Internet Transaction Server)
Publish Date: 5/9/2008   CVSS Severity: 4.3 (Medium)
Cross-site scripting (XSS) vulnerability in WGate in SAP Internet Transaction Server (ITS) 6.20 allows remote attackers to inject arbitrary web script or HTML via (1) a "<>" sequence in the ~service parameter to wgate.dll, or (2) Javascript splicing in the query string, a different vector than CVE-2006-5114.

CVE-2008-2122  (Rational Build Forge)
Publish Date: 5/9/2008   CVSS Severity: 5.0 (Medium)
IBM Rational Build Forge 7.0.2 allows remote attackers to cause a denial of service (CPU consumption) via a port scan, which spawns multiple bfagent server processes that attempt to read data from closed sockets.

CVE-2008-2121  (Solaris)
Publish Date: 5/9/2008   CVSS Severity: 7.8 (High)
The TCP implementation in Sun Solaris 8, 9, and 10 allows remote attackers to cause a denial of service (CPU consumption and new connection timeouts) via a TCP SYN flood attack.

CVE-2008-2120  (Java System Application Server, Java System Web Server)
Publish Date: 5/9/2008   CVSS Severity: 5.0 (Medium)
Unspecified vulnerability in Sun Java System Application Server 7 2004Q2 before Update 6, Web Server 6.1 before SP8, and Web Server 7.0 before Update 1 allows remote attackers to obtain source code of JSP files via unknown vectors.

CVE-2008-2118  (Project Alumni)
Publish Date: 5/8/2008   CVSS Severity: 7.5 (High)
SQL injection vulnerability in info.php in Project Alumni 1.0.9 allows remote attackers to execute arbitrary SQL commands via the id parameter.

CVE-2008-2117  (Project Alumni)
Publish Date: 5/8/2008   CVSS Severity: 4.3 (Medium)
Cross-site scripting (XSS) vulnerability in pages/news.page.inc in Project Alumni 1.0.9 allows remote attackers to inject arbitrary web script or HTML via the year parameter in a news action to index.php, a different vector than CVE-2007-6126.

CVE-2008-2116  (Power Editor)
Publish Date: 5/8/2008   CVSS Severity: 4.4 (Medium)
Multiple directory traversal vulnerabilities in editor.php in ScriptsEZ.net Power Editor 2.0 allow remote attackers to read arbitrary local files via a .. (dot dot) in the (1) te and (2) dir parameters in a tempedit action.

CVE-2008-2115  (Power Editor)
Publish Date: 5/8/2008   CVSS Severity: 4.3 (Medium)
Multiple cross-site scripting (XSS) vulnerabilities in editor.php in ScriptsEZ.net Power Editor 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) te and (2) dir parameters in a tempedit action.

CVE-2008-2114  (Pre Shopping Mall)
Publish Date: 5/8/2008   CVSS Severity: 7.5 (High)
SQL injection vulnerability in emall/search.php in Pre Shopping Mall 1.1 allows remote attackers to execute arbitrary SQL commands via the search parameter.

CVE-2008-2113  (phpeasydata)
Publish Date: 5/8/2008   CVSS Severity: 7.5 (High)
SQL injection vulnerability in annuaire.php in PHPEasyData 1.5.4 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter.

CVE-2008-2112  (Ray Server Software)
Publish Date: 5/7/2008   CVSS Severity: 9.3 (High)
Unspecified vulnerability in Sun Ray Kiosk Mode 4.0 allows local and remote authenticated Sun Ray administrators to gain root privileges via unknown vectors related to utconfig.

CVE-2008-2042  (Acrobat 3D, Acrobat Reader, Acrobat Professional, Acrobat Standard)
Publish Date: 5/7/2008   CVSS Severity: 9.3 (High)
The Javascript API in Adobe Acrobat Professional 7.0.9 and possibly 8.1.1 exposes a dangerous method, which allows remote attackers to (1) execute arbitrary commands or (2) trigger a buffer overflow via a crafted PDF file that invokes app.checkForUpdate with a malicious callback function.

CVE-2008-1669  (Kernel)
Publish Date: 5/7/2008   CVSS Severity: 6.9 (Medium)
Linux kernel before 2.6.25.2 does not apply a certain protection mechanism for fcntl functionality, which allows local users to (1) execute code in parallel or (2) exploit a race condition to obtain "re-ordered access to the descriptor table."

 

Disclaimer Notice & Privacy Statement / Security Notice

Send comments or suggestions to nvd@nist.gov

NIST Computer Security Resource Center (CSRC)

NIST is an Agency of the U.S. Commerce Department

Full vulnerability listing