Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-15633
Publication date:
22/12/2020
Cross-site scripting (XSS) issue in "document" module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted attachment filenames.
Severity CVSS v4.0: Pending analysis
Last modification:
22/12/2020

CVE-2020-28448
Publication date:
22/12/2020
This affects the package multi-ini before 2.1.1. It is possible to pollute an object's prototype by specifying the proto object as part of an array.
Severity CVSS v4.0: Pending analysis
Last modification:
02/12/2022

CVE-2020-28460
Publication date:
22/12/2020
This affects the package multi-ini before 2.1.2. It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448.
Severity CVSS v4.0: Pending analysis
Last modification:
02/12/2022

CVE-2020-26284
Publication date:
21/12/2020
Hugo is a fast and Flexible Static Site Generator built in Go. Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. In Hugo before version 0.79.1, if a malicious file with the same name (`exe` or `bat`) is found in the current working directory at the time of running `hugo`, the malicious command will be invoked instead of the system one. Windows users who run `hugo` inside untrusted Hugo sites are affected. Users should upgrade to Hugo v0.79.1. Other than avoiding untrusted Hugo sites, there is no workaround.
Severity CVSS v4.0: Pending analysis
Last modification:
23/12/2020

CVE-2020-35626
Publication date:
21/12/2020
An issue was discovered in the PushToWatch extension for MediaWiki through 1.35.1. The primary form did not implement an anti-CSRF token and therefore was completely vulnerable to CSRF attacks against onSkinAddFooterLinks in PushToWatch.php.
Severity CVSS v4.0: Pending analysis
Last modification:
22/12/2020

CVE-2020-35622
Publication date:
21/12/2020
An issue was discovered in the GlobalUsage extension for MediaWiki through 1.35.1. SpecialGlobalUsage.php calls WikiMap::makeForeignLink unsafely. The $page variable within the formatItem function was not being properly escaped, allowing for XSS under certain conditions.
Severity CVSS v4.0: Pending analysis
Last modification:
22/12/2020

CVE-2020-35624
Publication date:
21/12/2020
An issue was discovered in the SecurePoll extension for MediaWiki through 1.35.1. The non-admin vote list contains a full vote timestamp, which may provide unintended clues about how a voting process unfolded.
Severity CVSS v4.0: Pending analysis
Last modification:
22/12/2020

CVE-2020-35623
Publication date:
21/12/2020
An issue was discovered in the CasAuth extension for MediaWiki through 1.35.1. Due to improper username validation, it allowed user impersonation with trivial manipulations of certain characters within a given username. An ordinary user may be able to login as a "bureaucrat user" who has a similar username, as demonstrated by usernames that differ only in (1) bidirectional override symbols or (2) blank space.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-35625
Publication date:
21/12/2020
An issue was discovered in the Widgets extension for MediaWiki through 1.35.1. Any user with the ability to edit pages within the Widgets namespace could call any static function within any class (defined within PHP or MediaWiki) via a crafted HTML comment, related to a Smarty template. For example, a person in the Widget Editors group could use \MediaWiki\Shell\Shell::command within a comment.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-26277
Publication date:
21/12/2020
DBdeployer is a tool that deploys MySQL database servers easily. In DBdeployer before version 1.58.2, users unpacking a tarball may use a maliciously packaged tarball that contains symlinks to files external to the target. In such scenario, an attacker could induce dbdeployer to write into a system file, thus altering the computer defenses. For the attack to succeed, the following factors need to contribute: 1) The user is logged in as root. While dbdeployer is usable as root, it was designed to run as unprivileged user. 2) The user has taken a tarball from a non secure source, without testing the checksum. When the tarball is retrieved through dbdeployer, the checksum is compared before attempting to unpack. This has been fixed in version 1.58.2.
Severity CVSS v4.0: Pending analysis
Last modification:
23/12/2020

CVE-2020-29596
Publication date:
21/12/2020
MiniWeb HTTP server 0.8.19 allows remote attackers to cause a denial of service (daemon crash) via a long name for the first parameter in a POST request.
Severity CVSS v4.0: Pending analysis
Last modification:
23/12/2020

CVE-2020-8995
Publication date:
21/12/2020
Programi Bilanc Build 007 Release 014 31.01.2020 supplies a .exe file containing several hardcoded credentials to different servers that allow remote attackers to gain access to the complete infrastructure including the website, update server, and external issue tracking tools.
Severity CVSS v4.0: Pending analysis
Last modification:
22/12/2020
Subscribe to Vulnerabilities