Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-19361
Publication date:
20/01/2021
Reflected XSS in Medintux v2.16.000 CCAM.php by manipulating the mot1 parameter can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2021

CVE-2020-19362
Publication date:
20/01/2021
Reflected XSS in Vtiger CRM v7.2.0 in vtigercrm/index.php? through the view parameter can result in an attacker performing malicious actions to users who open a maliciously crafted link or third-party web page.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2021

CVE-2020-19364
Publication date:
20/01/2021
OpenEMR 5.0.1 allows an authenticated attacker to upload and execute malicious PHP scripts through /controller.php.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2021

CVE-2020-19360
Publication date:
20/01/2021
Local file inclusion in FHEM 6.0 allows in fhem/FileLog_logWrapper file parameter can allow an attacker to include a file, which can lead to sensitive information disclosure.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-27269
Publication date:
19/01/2021
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, the communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications lacks replay protection measures, which allows unauthenticated, physically proximate attackers to replay communication sequences via Bluetooth Low Energy.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2021

CVE-2020-11997
Publication date:
19/01/2021
Apache Guacamole 1.2.0 and earlier do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that connection was accessed, even if those users do not otherwise have permission to see other users.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2021

CVE-2020-28707
Publication date:
19/01/2021
The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) via stockdio_chart_historical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage() event is not validated. The stockdio_eventer function listens for any postMessage event. After a message event is sent to the application, this function sets the "e" variable as the event and checks that the types of the data and data.method are not undefined (empty) before proceeding to eval the data.method received from the postMessage. However, on a different website. JavaScript code can call window.open for the vulnerable WordPress instance and do a postMessage(msg,'*') for that object.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2021

CVE-2020-29598
Publication date:
19/01/2021
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its requester. Notes: none
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-27266
Publication date:
19/01/2021
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass user authentication checks via Bluetooth Low Energy.
Severity CVSS v4.0: Pending analysis
Last modification:
19/10/2021

CVE-2020-27268
Publication date:
19/01/2021
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass checks for default PINs via Bluetooth Low Energy.
Severity CVSS v4.0: Pending analysis
Last modification:
19/10/2021

CVE-2020-27264
Publication date:
19/01/2021
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, the communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications use deterministic keys, which allows unauthenticated, physically proximate attackers to brute-force the keys via Bluetooth Low Energy.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2021

CVE-2020-27258
Publication date:
19/01/2021
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, an information disclosure vulnerability in the communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows unauthenticated attackers to extract the pump’s keypad lock PIN via Bluetooth Low Energy.
Severity CVSS v4.0: Pending analysis
Last modification:
22/01/2021
Subscribe to Vulnerabilities