Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2020-7274
Publication date:
15/04/2020
Privilege escalation vulnerability in McTray.exe in McAfee Endpoint Security (ENS) for Windows Prior to 10.7.0 April 2020 Update allows local users to spawn unrelated processes with elevated privileges via the system administrator granting McTray.exe elevated privileges (by default it runs with the current user's privileges).
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-7257
Publication date:
15/04/2020
Privilege escalation vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2020 Update allows local users to cause the deletion and creation of files they would not normally have permission to through altering the target of symbolic links whilst an anti-virus scan was in progress. This is timing dependent.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-7278
Publication date:
15/04/2020
Exploiting incorrectly configured access control security levels vulnerability in ENS Firewall in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 April 2020 and 10.6.1 April 2020 updates allows remote attackers and local users to allow or block unauthorized traffic via pre-existing rules not being handled correctly when updating to the February 2020 updates.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-10514
Publication date:
15/04/2020
iCatch DVR firmware before 20200103 do not validate function parameter properly, resulting attackers executing arbitrary command.
Severity CVSS v4.0: Pending analysis
Last modification:
03/05/2022

CVE-2020-3932
Publication date:
15/04/2020
A vulnerable SNMP in Draytek VigorAP910C cannot be disabled, which may cause information leakage.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021

CVE-2020-10511
Publication date:
15/04/2020
HGiga C&Cmail CCMAILQ before olln-base-6.0-418.i386.rpm and CCMAILN before olln-base-5.0-418.i386.rpm contains insecure configurations. Attackers can exploit these flaws to access unauthorized functionality via a crafted URL.
Severity CVSS v4.0: Pending analysis
Last modification:
03/05/2022

CVE-2020-10513
Publication date:
15/04/2020
The file management interface of iCatch DVR firmware before 20200103 contains broken access control which allows the attacker to remotely manipulate arbitrary file.
Severity CVSS v4.0: Pending analysis
Last modification:
03/05/2022

CVE-2020-10505
Publication date:
15/04/2020
The School Manage System before 2020, developed by ALLE INFORMATION CO., LTD., contains a vulnerability of SQL Injection, an attacker can use a union based injection query string to get databases schema and username/password.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2020

CVE-2020-10506
Publication date:
15/04/2020
The School Manage System before 2020, developed by ALLE INFORMATION CO., LTD., contains a vulnerability of Path Traversal, allowing attackers to access arbitrary files.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2020

CVE-2020-10507
Publication date:
15/04/2020
The School Manage System before 2020, developed by ALLE INFORMATION CO., LTD., contains a vulnerability of Unrestricted file upload (RCE) , that would allow attackers to gain access in the hosting machine.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2020

CVE-2020-10512
Publication date:
15/04/2020
HGiga C&Cmail CCMAILQ before olln-calendar-6.0-100.i386.rpm and CCMAILN before olln-calendar-5.0-100.i386.rpm contains a SQL Injection vulnerability which allows attackers to injecting SQL commands in the URL parameter to execute unauthorized commands.
Severity CVSS v4.0: Pending analysis
Last modification:
30/04/2020

CVE-2020-11767
Publication date:
15/04/2020
Istio through 1.5.1 and Envoy through 1.14.1 have a data-leak issue. If there is a TCP connection (negotiated with SNI over HTTPS) to *.example.com, a request for a domain concurrently configured explicitly (e.g., abc.example.com) is sent to the server(s) listening behind *.example.com. The outcome should instead be 421 Misdirected Request. Imagine a shared caching forward proxy re-using an HTTP/2 connection for a large subnet with many users. If a victim is interacting with abc.example.com, and a server (for abc.example.com) recycles the TCP connection to the forward proxy, the victim's browser may suddenly start sending sensitive data to a *.example.com server. This occurs because the forward proxy between the victim and the origin server reuses connections (which obeys the specification), but neither Istio nor Envoy corrects this by sending a 421 error. Similarly, this behavior voids the security model browsers have put in place between domains.
Severity CVSS v4.0: Pending analysis
Last modification:
21/07/2021
Subscribe to Vulnerabilities