Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2018-16549
Publication date:
05/09/2018
HScripts PHP File Browser Script v1.0 allows Directory Traversal via the index.php path parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
16/11/2018

CVE-2018-16361
Publication date:
05/09/2018
An issue was discovered in BTITeam XBTIT 2.5.4. news.php allows XSS via the id parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
25/10/2018

CVE-2018-16381
Publication date:
05/09/2018
e107 2.1.8 has XSS via the e107_admin/users.php?mode=main&action=list user_loginname parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
29/10/2018

CVE-2018-16548
Publication date:
05/09/2018
An issue was discovered in ZZIPlib through 0.13.69. There is a memory leak triggered in the function __zzip_parse_root_directory in zip.c, which will lead to a denial of service attack.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025

CVE-2018-16147
Publication date:
05/09/2018
The data parameter of the /settings/api/router endpoint in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to Cross-Site Scripting.
Severity CVSS v4.0: Pending analysis
Last modification:
13/11/2018

CVE-2018-15684
Publication date:
05/09/2018
An issue was discovered in BTITeam XBTIT. PHP error logs are stored in an open directory (/include/logs) using predictable file names, which can lead to full path disclosure and leakage of sensitive data.
Severity CVSS v4.0: Pending analysis
Last modification:
05/11/2018

CVE-2018-16144
Publication date:
05/09/2018
The test connection functionality in the NetAudit section of Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 is vulnerable to command injection due to improper sanitization of the rancid_password parameter.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-16145
Publication date:
05/09/2018
The /etc/init.d/opsview-reporting-module script that runs at boot time in Opsview Monitor before 5.3.1 and 5.4.x before 5.4.2 invokes a file that can be edited by the nagios user, and would allow attackers to elevate their privileges to root after a system restart, hence obtaining full control of the appliance.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-16146
Publication date:
05/09/2018
The web management console of Opsview Monitor 5.4.x before 5.4.2 provides functionality accessible by an authenticated administrator to test notifications that are triggered under certain configurable events. The value parameter is not properly sanitized, leading to arbitrary command injection with the privileges of the nagios user account.
Severity CVSS v4.0: Pending analysis
Last modification:
03/10/2019

CVE-2018-15917
Publication date:
05/09/2018
Persistent cross-site scripting (XSS) issues in Jorani 0.6.5 allow remote attackers to inject arbitrary web script or HTML via the language parameter to session/language.
Severity CVSS v4.0: Pending analysis
Last modification:
05/07/2022

CVE-2018-15918
Publication date:
05/09/2018
An issue was discovered in Jorani 0.6.5. SQL Injection (error-based) allows a user of the application without permissions to read and modify sensitive information from the database used by the application via the startdate or enddate parameter to leaves/validate.
Severity CVSS v4.0: Pending analysis
Last modification:
05/07/2022

CVE-2018-15683
Publication date:
05/09/2018
An issue was discovered in BTITeam XBTIT. The "returnto" parameter of the login page is vulnerable to an open redirect due to a lack of validation. If a user is already logged in when accessing the page, they will be instantly redirected.
Severity CVSS v4.0: Pending analysis
Last modification:
06/11/2018
Subscribe to Vulnerabilities