Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2019-20480
Publication date:
24/02/2020
In MIELE XGW 3000 ZigBee Gateway before 2.4.0, a malicious website visited by an authenticated admin user or a malicious mail is allowed to make arbitrary changes in the "admin panel" because there is no CSRF protection.
Severity CVSS v4.0: Pending analysis
Last modification:
28/02/2020

CVE-2020-8130
Publication date:
24/02/2020
There is an OS command injection vulnerability in Ruby Rake
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-20481
Publication date:
24/02/2020
In MIELE XGW 3000 ZigBee Gateway before 2.4.0, the Password Change Function does not require knowledge of the old password. This can be exploited in conjunction with CVE-2019-20480.
Severity CVSS v4.0: Pending analysis
Last modification:
24/08/2020

CVE-2020-5188
Publication date:
24/02/2020
DNN (formerly DotNetNuke) through 9.4.4 has Insecure Permissions.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2015-9542
Publication date:
24/02/2020
add_password in pam_radius_auth.c in pam_radius 1.4.0 does not correctly check the length of the input password, and is vulnerable to a stack-based buffer overflow during memcpy(). An attacker could send a crafted password to an application (loading the pam_radius library) and crash it. Arbitrary code execution might be possible, depending on the application, C library, compiler, and other factors.
Severity CVSS v4.0: Pending analysis
Last modification:
14/08/2020

CVE-2019-20044
Publication date:
24/02/2020
In Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option. Zsh fails to overwrite the saved uid, so the original privileges can be restored by executing MODULE_PATH=/dir/with/module zmodload with a module that calls setuid().
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2019-15299
Publication date:
24/02/2020
An issue was discovered in Centreon Web through 19.04.3. When a user changes his password on his profile page, the contact_autologin_key field in the database becomes blank when it should be NULL. This makes it possible to partially bypass authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
28/02/2020

CVE-2019-3670
Publication date:
24/02/2020
Remote Code Execution vulnerability in the web interface in McAfee Web Advisor (WA) 8.0.34745 and earlier allows remote unauthenticated attacker to execute arbitrary code via a cross site scripting attack.
Severity CVSS v4.0: Pending analysis
Last modification:
07/11/2023

CVE-2020-9353
Publication date:
23/02/2020
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML element in the _transaction parameter. NOTE: the documentation states "These tools are, by default, available to anyone ... so they should only be deployed into a trusted environment. Alternately, the tools can easily be restricted to administrators or end users by protecting the tools path with normal authentication and authorization mechanisms on the web server."
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2024

CVE-2020-9355
Publication date:
23/02/2020
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.
Severity CVSS v4.0: Pending analysis
Last modification:
01/01/2022

CVE-2020-9352
Publication date:
23/02/2020
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter. NOTE: the documentation states "These tools are, by default, available to anyone ... so they should only be deployed into a trusted environment. Alternately, the tools can easily be restricted to administrators or end users by protecting the tools path with normal authentication and authorization mechanisms on the web server."
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2024

CVE-2020-9351
Publication date:
23/02/2020
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the absolute path). NOTE: the documentation states "These tools are, by default, available to anyone ... so they should only be deployed into a trusted environment. Alternately, the tools can easily be restricted to administrators or end users by protecting the tools path with normal authentication and authorization mechanisms on the web server."
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2024
Subscribe to Vulnerabilities