> For the complete documentation index, see [llms.txt](https://wiki.zacheller.dev/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://wiki.zacheller.dev/network-security/courses/isci-cnss-course/assessing-system-security/vulnerabilities.md).

# Vulnerabilities

It is important to understand precisely what a vulnerability is. A vulnerability is some flaw in a system that an attacker could exploit to attack the system.

## **CVE**

The most common list of vulnerabilities is the CVE list. Common Vulnerabilities and Exposures (CVE) is a list maintained by the Mitre Corporation at <https://cve.mitre.org/>. It is not only the most common, but also the most comprehensive vulnerability list. The CVE list was designed to provide a common name and description for a vulnerability. This allows security professionals to communicate effectively about vulnerabilities. In the past, CVEs had been designated by a CVE ID in the format of CVE-YYYY-NNNN. This format only allows 9,999 unique identifiers per year. The new format is CVE prefix + Year + Arbitrary Digits and allows for any number of digits.

## **NIST**

The U.S. National Institute of Standards and Technology maintains a database of vulnerabilities that you can access at <https://nvd.nist.gov/>. NIST also uses the CVE format. For example, CVE-2017-12371 is described as “A ‘Cisco WebEx Network Recording Player Remote Code Execution Vulnerability’ exists in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files. A remote attacker could exploit this by providing a user with a malicious ARF or WRF file via email or URL and convincing the user to launch the file. Exploitation of this could cause an affected player to crash and, in some cases, could allow arbitrary code execution on the system of a targeted user.”

## **OWASP**

The Open Web Application Security Project is the standard for web application security. They publish a number of important documents. For our current purposes, the most important is their top 10 list, located at <https://www.owasp.org/index.php/Category:OWASP\\_Top\\_Ten\\_Project>. Every few years they publish a top 10 web application vulnerabilities list. This list contains the actual vulnerabilities most frequently found in web applications.<br>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://wiki.zacheller.dev/network-security/courses/isci-cnss-course/assessing-system-security/vulnerabilities.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.