Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-12213
Publication date:
20/05/2019
When FreeImage 3.18.0 reads a special TIFF file, the TIFFReadDirectory function in PluginTIFF.cpp always returns 1, leading to stack exhaustion.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-12214
Publication date:
20/05/2019
In FreeImage 3.18.0, an out-of-bounds access occurs because of mishandling of the OpenJPEG j2k_read_ppm_v3 function in j2k.c. The value of l_N_ppm comes from the file read in, and the code does not consider that l_N_ppm may be greater than the size of p_header_data.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2019

CVE-2019-12212
Publication date:
20/05/2019
When FreeImage 3.18.0 reads a special JXR file, the StreamCalcIFDSize function of JXRMeta.c repeatedly calls itself due to improper processing of the file, eventually causing stack exhaustion. An attacker can achieve a remote denial of service attack by sending a specially constructed file.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2019-12215
Publication date:
20/05/2019
A full path disclosure vulnerability was discovered in Matomo v3.9.1 where a user can trigger a particular error to discover the full path of Matomo on the disk, because lastError.file is used in plugins/CorePluginsAdmin/templates/safemode.twig. NOTE: the vendor disputes the significance of this issue, stating "avoid reporting path disclosures, as we don't consider them as security vulnerabilities.
Severity CVSS v4.0: Pending analysis
Last modification:
05/08/2024

CVE-2018-12270
Publication date:
20/05/2019
In Valve Steam 1528829181 BETA, it is possible to perform a homograph / homoglyph attack to create fake URLs in the client, which may trick users into visiting unintended web sites.
Severity CVSS v4.0: Pending analysis
Last modification:
07/02/2022

CVE-2019-12206
Publication date:
20/05/2019
njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in nxt_utf8_encode in nxt_utf8.c.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2022

CVE-2019-12207
Publication date:
20/05/2019
njs through 0.3.1, used in NGINX, has a heap-based buffer over-read in nxt_utf8_decode in nxt/nxt_utf8.c.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2022

CVE-2019-12208
Publication date:
20/05/2019
njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in njs_function_native_call in njs/njs_function.c.
Severity CVSS v4.0: Pending analysis
Last modification:
24/03/2022

CVE-2019-11809
Publication date:
20/05/2019
An issue was discovered in Joomla! before 3.9.6. The debug views of com_users do not properly escape user supplied data, which leads to a potential XSS attack vector.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2019

CVE-2019-12198
Publication date:
20/05/2019
In GoHttp through 2017-07-25, there is a stack-based buffer over-read via a long User-Agent header.
Severity CVSS v4.0: Pending analysis
Last modification:
21/05/2019

CVE-2019-12185
Publication date:
20/05/2019
eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/controllers/EntityController.php component. This may result in remote command execution. An attacker can use a user account to fully compromise the system using a POST request. This will allow for PHP files to be written to the web root, and for code to execute on the remote server.
Severity CVSS v4.0: Pending analysis
Last modification:
14/02/2024

CVE-2019-12184
Publication date:
19/05/2019
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
Severity CVSS v4.0: Pending analysis
Last modification:
20/05/2019
Subscribe to Vulnerabilities