Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-35658
Publication date:
23/12/2020
SpamTitan before 7.09 allows attackers to tamper with backups, because backups are not encrypted.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-35656
Publication date:
23/12/2020
Jaws through 1.8.0 allows remote authenticated administrators to execute arbitrary code via crafted use of admin.php?reqGadget=Components&reqAction=InstallGadget&comp=FileBrowser and admin.php?reqGadget=FileBrowser&reqAction=Files to upload a .php file. NOTE: this is unrelated to the JAWS (aka Job Access With Speech) product.
Severity CVSS v4.0: Pending analysis
Last modification:
23/12/2020

CVE-2020-28641
Publication date:
22/12/2020
In Malwarebytes Free 4.1.0.56, a symbolic link may be used delete an arbitrary file on the system by exploiting the local quarantine system.
Severity CVSS v4.0: Pending analysis
Last modification:
23/12/2020

CVE-2020-27338
Publication date:
22/12/2020
An issue was discovered in Treck IPv6 before 6.0.1.68. Improper Input Validation in the DHCPv6 client component allows an unauthenticated remote attacker to cause an Out of Bounds Read, and possibly a Denial of Service via adjacent network access.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-29583
Publication date:
22/12/2020
Firmware version 4.60 of Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2025

CVE-2020-25066
Publication date:
22/12/2020
A heap-based buffer overflow in the Treck HTTP Server component before 6.0.1.68 allows remote attackers to cause a denial of service (crash/reset) or to possibly execute arbitrary code.
Severity CVSS v4.0: Pending analysis
Last modification:
26/03/2021

CVE-2020-27336
Publication date:
22/12/2020
An issue was discovered in Treck IPv6 before 6.0.1.68. Improper input validation in the IPv6 component when handling a packet sent by an unauthenticated remote attacker could result in an out-of-bounds read of up to three bytes via network access.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2025

CVE-2020-27337
Publication date:
22/12/2020
An issue was discovered in Treck IPv6 before 6.0.1.68. Improper Input Validation in the IPv6 component allows an unauthenticated remote attacker to cause an Out of Bounds Write, and possibly a Denial of Service via network access.
Severity CVSS v4.0: Pending analysis
Last modification:
30/09/2025

CVE-2020-24673
Publication date:
22/12/2020
In S+ Operations and S+ Historian, a successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. This can lead to a loss of confidentiality and data integrity or even affect the product behavior and its availability.
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2021

CVE-2020-24674
Publication date:
22/12/2020
In S+ Operations and S+ Historian, not all client commands correctly check user permission as expected. Authenticated but Unauthorized remote users could execute a Denial-of-Service (DoS) attack, execute arbitrary code, or obtain more privilege than intended on the machines.
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2021

CVE-2020-24675
Publication date:
22/12/2020
In S+ Operations and S+ History, it is possible that an unauthenticated user could inject values to the Operations History server (or standalone S+ History server) and ultimately write values to the controlled process.
Severity CVSS v4.0: Pending analysis
Last modification:
07/10/2021

CVE-2020-24676
Publication date:
22/12/2020
In Symphony Plus Operations and Symphony Plus Historian, some services can be vulnerable to privilege escalation attacks. An unprivileged (but authenticated) user could execute arbitrary code and result in privilege escalation, depending on the user that the service runs as.
Severity CVSS v4.0: Pending analysis
Last modification:
14/09/2021
Subscribe to Vulnerabilities