Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-7410
Publication date:
14/08/2020
There is stored cross site scripting (XSS) in Galileo CMS v0.042. Remote authenticated users could inject arbitrary web script or HTML via $page_title in /lib/Galileo/files/templates/page/show.html.ep (aka the PAGE TITLE Field).
Severity CVSS v4.0: Pending analysis
Last modification:
19/08/2020

CVE-2019-6112
Publication date:
14/08/2020
A Cross-site scripting (XSS) vulnerability in /inc/class-search.php in the Sell Media plugin v2.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the keyword parameter (aka $search_term or the Search field).
Severity CVSS v4.0: Pending analysis
Last modification:
19/08/2020

CVE-2020-4662
Publication date:
14/08/2020
IBM Event Streams 10.0.0 could allow an authenticated user to perform tasks to a schema due to improper authentication validation. IBM X-Force ID: 186233.
Severity CVSS v4.0: Pending analysis
Last modification:
14/08/2020

CVE-2019-20383
Publication date:
13/08/2020
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
Severity CVSS v4.0: Pending analysis
Last modification:
19/08/2020

CVE-2020-24348
Publication date:
13/08/2020
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2022

CVE-2020-7360
Publication date:
13/08/2020
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was released after April 15, 2020. (Note, the version numbering system changed significantly between version 4.3.15 and version 1.0.7.)
Severity CVSS v4.0: Pending analysis
Last modification:
19/08/2020

CVE-2020-24349
Publication date:
13/08/2020
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
Severity CVSS v4.0: Pending analysis
Last modification:
05/10/2022

CVE-2020-24346
Publication date:
13/08/2020
njs through 0.4.3, used in NGINX, has a use-after-free in njs_json_parse_iterator_call in njs_json.c.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2022

CVE-2020-24347
Publication date:
13/08/2020
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_lvlhsh_level_find in njs_lvlhsh.c.
Severity CVSS v4.0: Pending analysis
Last modification:
15/04/2022

CVE-2020-24343
Publication date:
13/08/2020
Artifex MuJS through 1.0.7 has a use-after-free in jsrun.c because of unconditional marking in jsgc.c.
Severity CVSS v4.0: Pending analysis
Last modification:
19/08/2020

CVE-2020-24344
Publication date:
13/08/2020
JerryScript through 2.3.0 has a (function({a=arguments}){const arguments}) buffer over-read.
Severity CVSS v4.0: Pending analysis
Last modification:
19/08/2020

CVE-2020-24345
Publication date:
13/08/2020
JerryScript through 2.3.0 allows stack consumption via function a(){new new Proxy(a,{})}JSON.parse("[]",a). NOTE: the vendor states that the problem is the lack of the --stack-limit option
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2024
Subscribe to Vulnerabilities