Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-16556
Publication date:
17/12/2019
Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2023

CVE-2019-16550
Publication date:
17/12/2019
A cross-site request forgery vulnerability in a connection test form method in Jenkins Maven Release Plugin 0.16.1 and earlier allows attackers to have Jenkins connect to an attacker specified web server and parse XML documents.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2023

CVE-2019-16551
Publication date:
17/12/2019
A cross-site request forgery vulnerability in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2023

CVE-2019-16552
Publication date:
17/12/2019
A missing permission check in Jenkins Gerrit Trigger Plugin 2.30.1 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL or SSH server using attacker-specified credentials, or determine the existence of a file with a given path on the Jenkins master.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2023

CVE-2019-16549
Publication date:
17/12/2019
Jenkins Maven Release Plugin 0.16.1 and earlier does not configure the XML parser to prevent XML external entity (XXE) attacks, allowing man-in-the-middle attackers to have Jenkins parse crafted XML documents.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2023

CVE-2019-19712
Publication date:
17/12/2019
Contao 4.0 through 4.8.5 has Insecure Permissions. Back end users can manipulate the details view URL to show pages and articles that have not been enabled for them.
Severity CVSS v4.0: Pending analysis
Last modification:
31/12/2019

CVE-2019-19264
Publication date:
17/12/2019
In Simplifile RecordFusion through 2019-11-25, the logs and hist parameters allow remote attackers to access local files via a logger/logs?/../ or logger/hist?/../ URI.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2019-18833
Publication date:
17/12/2019
Barco ClickShare Button R9861500D01 devices before 1.9.0 allow Information exposure (issue 2 of 2).. The encryption key of the media content which is shared between a ClickShare Button and a ClickShare Base Unit is randomly generated for each new session and communicated over a TLS connection. An attacker who is able to perform a Man-in-the-Middle attack between the TLS connection, is able to obtain the encryption key.
Severity CVSS v4.0: Pending analysis
Last modification:
26/12/2019

CVE-2019-18832
Publication date:
17/12/2019
Barco ClickShare Button R9861500D01 devices before 1.9.0 have incorrect Credentials Management. The ClickShare Button implements encryption at rest which uses a one-time programmable (OTP) AES encryption key. This key is shared across all ClickShare Buttons of model R9861500D01.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2019-18824
Publication date:
17/12/2019
Barco ClickShare Button R9861500D01 devices before 1.10.0.13 have Missing Support for Integrity Check. The ClickShare Button does not verify the integrity of the mutable content on the UBIFS partition before being used.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2019-18829
Publication date:
17/12/2019
Barco ClickShare Button R9861500D01 devices before 1.10.0.13 have Missing Support for Integrity Check. The Barco signed 'Clickshare_For_Windows.exe' binary on the ClickShare Button (R9861500D01) loads a number of DLL files dynamically without verifying their integrity.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2019-18825
Publication date:
17/12/2019
Barco ClickShare Huddle CS-100 devices before 1.9.0 and CSE-200 devices before 1.9.0 have incorrect Credentials Management. The ClickShare Base Unit implements encryption at rest using encryption keys which are shared across all ClickShare Base Units of models CS-100 & CSE-200.
Severity CVSS v4.0: Pending analysis
Last modification:
26/12/2019
Subscribe to Vulnerabilities