Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-13349
Publication date:
17/11/2020
An issue has been discovered in GitLab EE affecting all versions starting from 8.12. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. Affected versions are >=8.12, =13.4, =13.5,
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-28140
Publication date:
17/11/2020
SourceCodester Online Clothing Store 1.0 is affected by an arbitrary file upload via the image upload feature of Products.php.
Severity CVSS v4.0: Pending analysis
Last modification:
23/11/2020

CVE-2020-28139
Publication date:
17/11/2020
SourceCodester Online Clothing Store 1.0 is affected by a cross-site scripting (XSS) vulnerability via a Offer Detail field in offer.php.
Severity CVSS v4.0: Pending analysis
Last modification:
23/11/2020

CVE-2020-28138
Publication date:
17/11/2020
SourceCodester Online Clothing Store 1.0 is affected by a SQL Injection via the txtUserName parameter to login.php.
Severity CVSS v4.0: Pending analysis
Last modification:
23/11/2020

CVE-2020-13348
Publication date:
17/11/2020
An issue has been discovered in GitLab EE affecting all versions starting from 10.2. Required CODEOWNERS approval could be bypassed by targeting a branch without the CODEOWNERS file. Affected versions are >=10.2, =13.4, =13.5,
Severity CVSS v4.0: Pending analysis
Last modification:
27/11/2020

CVE-2020-26701
Publication date:
17/11/2020
Cross-site scripting (XSS) vulnerability in Dashboards section in Kaa IoT Platform v1.2.0 allows remote attackers to inject malicious web scripts or HTML Injection payloads via the Description parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
27/11/2020

CVE-2020-13350
Publication date:
17/11/2020
CSRF in runner administration page in all versions of GitLab CE/EE allows an attacker who's able to target GitLab instance administrators to pause/resume runners. Affected versions are >=13.5.0, =13.4.0,
Severity CVSS v4.0: Pending analysis
Last modification:
27/11/2020

CVE-2020-13351
Publication date:
17/11/2020
Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. Affected versions are >=13.0, =13.4.0, =13.5.0,
Severity CVSS v4.0: Pending analysis
Last modification:
27/11/2020

CVE-2020-25400
Publication date:
17/11/2020
Cross domain policies in Taskcafe Project Management tool before version 0.1.0 and 0.1.1 allows remote attackers to access sensitive data such as access token.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-13958
Publication date:
17/11/2020
A vulnerability in Apache OpenOffice scripting events allows an attacker to construct documents containing hyperlinks pointing to an executable on the target users file system. These hyperlinks can be triggered unconditionally. In fixed versions no internal protocol may be called from the document event handler and other hyperlinks require a control-click.
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2020

CVE-2020-27558
Publication date:
17/11/2020
Use of an undocumented user in BASETech GE-131 BT-1837836 firmware 20180921 allows remote attackers to view the video stream.
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2020

CVE-2020-27553
Publication date:
17/11/2020
In BASETech GE-131 BT-1837836 firmware 20180921, the web-server on the system is configured with the option “DocumentRoot /etc“. This allows an attacker with network access to the web-server to download any files from the “/etc” folder without authentication. No path traversal sequences are needed to exploit this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
01/12/2020
Subscribe to Vulnerabilities