Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-16212
Publication date:
11/09/2020
In Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, the product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. The application on the surveillance station operates in kiosk mode, which is vulnerable to local breakouts that could allow an attacker with physical access to escape the restricted environment with limited privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2020-16220
Publication date:
11/09/2020
In Patient Information Center iX (PICiX) Versions C.02, C.03, <br /> PerformanceBridge Focal Point Version A.01, the product receives input <br /> that is expected to be well-formed (i.e., to comply with a certain <br /> syntax) but it does not validate or incorrectly validates that the input<br /> complies with the syntax, causing the certificate enrollment service to<br /> crash. It does not impact monitoring but prevents new devices from <br /> enrolling.<br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2020-16224
Publication date:
11/09/2020
In Patient Information Center iX (PICiX) Versions C.02, C.03, the <br /> software parses a formatted message or structure but does not handle or <br /> incorrectly handles a length field that is inconsistent with the actual <br /> length of the associated data, causing the application on the <br /> surveillance station to restart.<br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2020-16216
Publication date:
11/09/2020
In IntelliVue patient monitors MX100, MX400-550, MX600, MX700, MX750, <br /> MX800, MX850, MP2-MP90, and IntelliVue X2 and X3 Versions N and prior, <br /> the product receives input or data but does not validate or incorrectly <br /> validates that the input has the properties required to process the data<br /> safely and correctly, which can induce a denial-of-service condition <br /> through a system restart.<br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2020-14100
Publication date:
11/09/2020
In Xiaomi router R3600 ROM version
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-15802
Publication date:
11/09/2020
Devices supporting Bluetooth before 5.1 may allow man-in-the-middle attacks, aka BLURtooth. Cross Transport Key Derivation in Bluetooth Core Specification v4.2 and v5.0 may permit an unauthenticated user to establish a bonding with one transport, either LE or BR/EDR, and replace a bonding already established on the opposing transport, BR/EDR or LE, potentially overwriting an authenticated key with an unauthenticated key, or a key with greater entropy with one with less.
Severity CVSS v4.0: Pending analysis
Last modification:
16/11/2022

CVE-2020-14096
Publication date:
11/09/2020
Memory overflow in Xiaomi AI speaker Rom version
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2020

CVE-2020-11991
Publication date:
11/09/2020
When using the StreamGenerator, the code parse a user-provided XML. A specially crafted XML, including external system entities, could be used to access any file on the server system.
Severity CVSS v4.0: Pending analysis
Last modification:
17/09/2020

CVE-2020-9239
Publication date:
11/09/2020
Huawei smartphones BLA-A09 versions 8.0.0.123(C212),versions earlier than 8.0.0.123(C567),versions earlier than 8.0.0.123(C797);BLA-TL00B versions earlier than 8.1.0.326(C01);Berkeley-L09 versions earlier than 8.0.0.163(C10),versions earlier than 8.0.0.163(C432),Versions earlier than 8.0.0.163(C636),Versions earlier than 8.0.0.172(C10);Duke-L09 versions Duke-L09C10B187, versions Duke-L09C432B189, versions Duke-L09C636B189;HUAWEI P20 versions earlier than 8.0.1.16(C00);HUAWEI P20 Pro versions earlier than 8.1.0.152(C00);Jimmy-AL00A versions earlier than Jimmy-AL00AC00B172;LON-L29D versions LON-L29DC721B192;NEO-AL00D versions earlier than 8.1.0.172(C786);Stanford-AL00 versions Stanford-AL00C00B123;Toronto-AL00 versions earlier than Toronto-AL00AC00B225;Toronto-AL00A versions earlier than Toronto-AL00AC00B225;Toronto-TL10 versions earlier than Toronto-TL10C01B225 have an information vulnerability. A module has a design error that is lack of control of input. Attackers can exploit this vulnerab
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-16222
Publication date:
11/09/2020
In Patient Information Center iX (PICiX) Version B.02, C.02, C.03, and <br /> PerformanceBridge Focal Point Version A.01, when an actor claims to have<br /> a given identity, the software does not prove or insufficiently proves <br /> the claim is correct.<br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2020-16228
Publication date:
11/09/2020
In Patient Information Center iX (PICiX) Versions C.02 and C.03, <br /> PerformanceBridge Focal Point Version A.01, IntelliVue patient monitors <br /> MX100, MX400-MX550, MX750, MX850, and IntelliVue X3 Versions N and <br /> prior, the software does not check or incorrectly checks the revocation <br /> status of a certificate, which may cause it to use a compromised <br /> certificate.<br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023

CVE-2020-16218
Publication date:
11/09/2020
In Patient Information Center iX (PICiX) Versions B.02, C.02, C.03, the <br /> software does not neutralize or incorrectly neutralizes <br /> user-controllable input before it is placed in output that is then used <br /> as a webpage and served to other users. Successful exploitation could <br /> lead to unauthorized access to patient data via a read-only web <br /> application.<br /> <br /> <br /> <br />
Severity CVSS v4.0: Pending analysis
Last modification:
12/12/2023
Subscribe to Vulnerabilities