Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-12026
Publication date:
17/06/2018
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in turn can result in information disclosure and privilege escalation.
Severity CVSS v4.0: Pending analysis
Last modification:
08/03/2019

CVE-2018-12071
Publication date:
17/06/2018
A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.
Severity CVSS v4.0: Pending analysis
Last modification:
09/06/2025

CVE-2018-12104
Publication date:
17/06/2018
Cross-site scripting (XSS) vulnerability in Airbnb Knowledge Repo 0.7.4 allows remote attackers to inject arbitrary web scripts or HTML via the post comments functionality, as demonstrated by the post/posts/new_report.kp URI.
Severity CVSS v4.0: Pending analysis
Last modification:
11/08/2018

CVE-2018-12073
Publication date:
17/06/2018
An issue was discovered on Eminent EM4544 9.10 devices. The device does not require the user's current password to set a new one within the web interface. Therefore, it is possible to exploit this issue (e.g., in combination with a successful XSS, or at an unattended workstation) to change the admin password to an attacker-chosen value without knowing the current password.
Severity CVSS v4.0: Pending analysis
Last modification:
11/08/2018

CVE-2018-12027
Publication date:
17/06/2018
An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said socket are writable by a normal user that is not the application's user, then that non-application user can swap that directory with something else, resulting in traffic being redirected to a non-application user's process through an alternative Unix domain socket.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-12028
Publication date:
17/06/2018
An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an error, it would cause Passenger's process manager to kill said reported arbitrary PID.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-12072
Publication date:
17/06/2018
An issue was discovered in Cloud Media Popcorn A-200 03-05-130708-21-POP-411-000 firmware. It is configured to provide TELNET remote access (without a password) that pops a shell as root. If an attacker can connect to port 23 on the device, he can completely compromise it.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-10997
Publication date:
17/06/2018
Etere EtereWeb before 28.1.20 has a pre-authentication blind SQL injection in the POST parameters txUserName and txPassword.
Severity CVSS v4.0: Pending analysis
Last modification:
14/08/2018

CVE-2018-11218
Publication date:
17/06/2018
Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2 because of stack-based buffer overflows.
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2021

CVE-2018-11219
Publication date:
17/06/2018
An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2, leading to a failure of bounds checking.
Severity CVSS v4.0: Pending analysis
Last modification:
04/08/2021

CVE-2018-11647
Publication date:
17/06/2018
index.js in oauth2orize-fprm before 0.2.1 has XSS via a crafted URL.
Severity CVSS v4.0: Pending analysis
Last modification:
09/08/2018

CVE-2018-12329
Publication date:
17/06/2018
Protection Mechanism Failure in ECOS Secure Boot Stick (aka SBS) 5.6.5 allows a local attacker to duplicate an authentication factor via cloning.
Severity CVSS v4.0: Pending analysis
Last modification:
09/08/2018
Subscribe to Vulnerabilities