Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-3320
Publication date:
08/10/2020
A vulnerability in the web-based management interface of Cisco Firepower Management Center could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by first entering input within the web-based management interface and then persuading a user of the interface to view the crafted input within the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
Severity CVSS v4.0: Pending analysis
Last modification:
26/11/2024

CVE-2020-3535
Publication date:
08/10/2020
A vulnerability in the loading mechanism of specific DLLs in the Cisco Webex Teams client for Windows could allow an authenticated, local attacker to load a malicious library. To exploit this vulnerability, the attacker needs valid credentials on the Windows system. The vulnerability is due to incorrect handling of directory paths at run time. An attacker could exploit this vulnerability by placing a malicious DLL file in a specific location on the targeted system. This file will execute when the vulnerable application launches. A successful exploit could allow the attacker to execute arbitrary code on the targeted system with the privileges of another user’s account.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-15501
Publication date:
07/10/2020
Smarter Coffee Maker before 2nd generation allows firmware replacement without authentication or authorization. User interaction is required to press a button. NOTE: This vulnerability only affects products that are no longer supported by the maintainer
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2024

CVE-2015-7379
Publication date:
07/10/2020
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2015-7380
Publication date:
07/10/2020
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-25867
Publication date:
07/10/2020
SoPlanning before 1.47 doesn't correctly check the security key used to publicly share plannings. It allows a bypass to get access without authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
15/10/2020

CVE-2020-25768
Publication date:
07/10/2020
Contao before 4.4.52, 4.9.x before 4.9.6, and 4.10.x before 4.10.1 have Improper Input Validation. It is possible to inject insert tags in front end forms which will be replaced when the page is rendered.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-15226
Publication date:
07/10/2020
In GLPI before version 9.5.2, there is a SQL Injection in the API's search function. Not only is it possible to break the SQL syntax, but it is also possible to utilise a UNION SELECT query to reflect sensitive information such as the current database version, or database user. The most likely scenario for this vulnerability is with someone who has an API account to the system. The issue is patched in version 9.5.2. A proof-of-concept with technical details is available in the linked advisory.
Severity CVSS v4.0: Pending analysis
Last modification:
14/10/2020

CVE-2020-7316
Publication date:
07/10/2020
Unquoted service path vulnerability in McAfee File and Removable Media Protection (FRP) prior to 5.3.0 allows local users to execute arbitrary code, with higher privileges, via execution and from a compromised folder. This issue may result in files not being encrypted when a policy is triggered.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-26164
Publication date:
07/10/2020
In kdeconnect-kde (aka KDE Connect) before 20.08.2, an attacker on the local network could send crafted packets that trigger use of large amounts of CPU, memory, or network connection slots, aka a Denial of Service attack.
Severity CVSS v4.0: Pending analysis
Last modification:
31/01/2023

CVE-2020-15217
Publication date:
07/10/2020
In GLPI before version 9.5.2, there is a leakage of user information through the public FAQ. The issue was introduced in version 9.5.0 and patched in 9.5.2. As a workaround, disable public access to the FAQ.
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2020

CVE-2020-15176
Publication date:
07/10/2020
In GLPI before version 9.5.2, when supplying a back tick in input that gets put into a SQL query,the application does not escape or sanitize allowing for SQL Injection to occur. Leveraging this vulnerability an attacker is able to exfiltrate sensitive information like passwords, reset tokens, personal details, and more. The issue is patched in version 9.5.2
Severity CVSS v4.0: Pending analysis
Last modification:
16/10/2020
Subscribe to Vulnerabilities